Question 124 of 2,015
ACLs and CoPPeasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the ACL is most likely applied outbound on the interface, not inbound. When an ACL is applied inbound, it filters traffic as it enters the interface, meaning any packet arriving from subnet 10.1.1.0/24 is evaluated against the permit and deny statements before being routed. Since the configured ACL only permits HTTP (TCP port 80) and denies everything else, inbound application should block ICMP ping traffic. However, if the ACL is applied outbound, it only filters traffic leaving the interface, so ping packets from 10.1.1.0/24 would be routed normally and only filtered when exiting toward 10.2.2.0/24, which explains why they still reach their destination. On the ENCOR 350-401 exam, this tests your understanding of ACL application direction—a common trap where engineers misapply the ACL to the wrong interface side. A reliable memory tip is “inbound inspects arrivals, outbound checks departures”; always verify the direction relative to the traffic source.

CCNP ACLs and CoPP Practice Question

This 350-401 practice question tests your understanding of acls and copp. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A network engineer is configuring ACLs on a Cisco router to filter traffic between two subnets. The engineer wants to allow HTTP traffic from subnet 10.1.1.0/24 to subnet 10.2.2.0/24, but deny all other traffic. The engineer applies an ACL inbound on the interface connected to subnet 10.1.1.0/24. The ACL has a permit statement for TCP port 80 from 10.1.1.0/24 to 10.2.2.0/24, followed by a deny ip any any. However, hosts in subnet 10.1.1.0/24 can still ping hosts in subnet 10.2.2.0/24. What is the most likely reason?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1easymultiple choice
Study the full ACL explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering.

The correct answer is that the ACL only filters traffic entering the interface; ping traffic is also entering the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied inbound, it should block ping. The most likely reason is that the ACL is applied outbound on the interface, not inbound. Option B is incorrect because the ACL order is correct. Option C is incorrect because ICMP is not HTTP. Option D is incorrect because the ACL is applied to the interface, not the subnet.

Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering.

    Why this is correct

    Correct because if the ACL is applied outbound, it filters traffic leaving the interface; ping traffic from 10.1.1.0/24 to 10.2.2.0/24 would be leaving the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied outbound, the deny ip any any would block ping, so this might not be the issue. Actually, the most likely reason is that the ACL is applied outbound, but the scenario says inbound, so the engineer might have misapplied it.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    CIDR notation defines the prefix length.

  • The ACL is missing a deny statement for ICMP, so ICMP traffic is implicitly permitted.

    Why it's wrong here

    Incorrect because ACLs have an implicit deny at the end, so ICMP would be denied.

  • The ACL permits HTTP, but ping uses ICMP, which is not HTTP, so ping should be denied.

    Why it's wrong here

    Incorrect because this would not explain why ping is allowed; it should be denied.

  • The ACL is applied to the wrong interface; it should be applied to the interface connected to subnet 10.2.2.0/24.

    Why it's wrong here

    Incorrect because applying the ACL to the interface connected to 10.1.1.0/24 is correct for filtering traffic from that subnet.

Common exam traps

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Detailed technical explanation

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Key takeaway

Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related 350-401 subnetting questions on CIDR, address ranges, and subnet selection.

Related practice questions

Related 350-401 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-401 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-401 question test?

ACLs and CoPP — This question tests ACLs and CoPP — CIDR notation defines the prefix length..

What is the correct answer to this question?

The correct answer is: The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering. — The correct answer is that the ACL only filters traffic entering the interface; ping traffic is also entering the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied inbound, it should block ping. The most likely reason is that the ACL is applied outbound on the interface, not inbound. Option B is incorrect because the ACL order is correct. Option C is incorrect because ICMP is not HTTP. Option D is incorrect because the ACL is applied to the interface, not the subnet.

What should I do if I get this 350-401 question wrong?

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related 350-401 subnetting questions on CIDR, address ranges, and subnet selection.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

CIDR notation defines the prefix length.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

3 more ways this is tested on 350-401

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Examine the following configuration snippet: interface GigabitEthernet0/1 ip access-group FILTER_IN in ! ip access-list extended FILTER_IN deny icmp any any echo permit ip any any What is the effect of this configuration?

medium
  • A.It blocks all ICMP traffic inbound on GigabitEthernet0/1.
  • B.It blocks inbound ICMP Echo requests on GigabitEthernet0/1.
  • C.It blocks all inbound traffic on GigabitEthernet0/1.
  • D.It blocks outbound ICMP Echo requests on GigabitEthernet0/1.

Why B: The ACL denies ICMP Echo (ping) inbound on GigabitEthernet0/1 while permitting all other IP traffic.

Variation 2. Given the following configuration: ip access-list extended FILTER permit tcp any host 10.1.1.1 eq 22 permit icmp any any echo-reply ! interface GigabitEthernet0/4 ip access-group FILTER in What traffic is permitted?

medium
  • A.Only SSH traffic to 10.1.1.1 is permitted.
  • B.SSH to 10.1.1.1 and ICMP Echo Reply are permitted.
  • C.All ICMP traffic is permitted.
  • D.Only traffic from host 10.1.1.1 is permitted.

Why B: The ACL permits TCP traffic to host 10.1.1.1 on port 22 (SSH) and ICMP Echo Reply messages from any source.

Variation 3. Review the ACL configuration: ip access-list extended TEST permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 deny ip any any ! interface GigabitEthernet0/3 ip access-group TEST in What is missing or incorrect?

medium
  • A.The ACL should use a wildcard mask of 255.255.255.0 instead of 0.0.0.255.
  • B.The deny ip any any is redundant because ACLs have an implicit deny at the end.
  • C.The ACL must be applied outbound to filter incoming traffic.
  • D.The ACL should use the keyword 'established' to allow return traffic.

Why B: The ACL permits HTTP and HTTPS from 192.168.1.0/24 to any destination, but denies all other traffic. The configuration is syntactically correct.

Last reviewed: Jun 18, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.