Back to ENCOR 350-401 questions

Scenario-based practice

Access Control List (ACL) Scenarios

Practise 350-401 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

15
scenario questions
350-401
exam code
Cisco
vendor

Scenario guide

How to approach access control list (acl) scenarios

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.

Quick answer

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Related practice questions

Related 350-401 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediumdrag order
Study the full ACL explanation →

Drag and drop the steps to configure an extended access control list (ACL) on a Cisco router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 2easymulti select
Full question →

Which TWO features are part of Cisco TrustSec for providing role-based access control?

Question 3hardmultiple choice
Full question →

Based on the exhibit, which traffic will be permitted outbound on GigabitEthernet0/0?

Exhibit

Refer to the exhibit.

! Running-config on R1
ip access-list extended FILTER
 permit tcp 192.168.1.0 0.0.0.255 any eq www
 permit tcp 192.168.1.0 0.0.0.255 any eq https
!
interface GigabitEthernet0/0
 ip access-group FILTER out
!
Question 4mediummultiple choice
Open the full BGP breakdown →
router bgp 65000

bgp router-id 10.0.0.1

neighbor 10.0.0.2 remote-as 65001
 neighbor 10.0.0.2 route-map SET_ORIGIN in

! route-map SET_ORIGIN permit 10 set origin incomplete ! What is the effect of this configuration?

Question 5mediummultiple choice
Open the full VLAN trunking answer →

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

Question 6hardmultiple choice
Study the full ACL explanation →

An engineer is configuring a new Cisco 9800 WLC in a branch office. The WLC will manage 50 APs and must provide guest access with a captive portal. The engineer configures a guest SSID with open authentication and a redirect ACL for the captive portal. However, after the configuration, clients can associate to the guest SSID but cannot reach the captive portal page. What is the most likely cause?

Question 7mediummultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting a site-to-site IPsec VPN tunnel between two Cisco routers. The tunnel is established and IKEv2 Phase 1 is up, but no traffic passes. The engineer checks the crypto map and sees that the ACL is configured to permit traffic between the two LAN subnets. However, 'show crypto ipsec sa' shows that the number of packets encapsulated and decapsulated is zero. What is the most likely cause?

Question 8mediummultiple choice
Read the full VPN explanation →
interface Tunnel0
 ip address 10.0.0.1 255.255.255.252

tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 tunnel mode ipsec ipv4 !

crypto isakmp policy 10

authentication pre-share encryption aes 256 hash sha group 14 lifetime 86400 !

crypto isakmp key cisco123 address 203.0.113.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 203.0.113.2 set transform-set TSET match address 100 !

interface GigabitEthernet0/0
 crypto map CMAP

!

access-list 100 permit ip 10.0.0.0 0.0.0.3 10.0.0.4 0.0.0.3

What is the effect of this configuration?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 ip nat outside

!

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

What is the effect of this configuration?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring a Cisco router to provide internet access to a small office using a single public IP address assigned by the ISP. The engineer wants to allow internal hosts to initiate connections to the internet, but also needs to make a web server on the internal network reachable from the internet. The engineer configures a standard access list for NAT and an ip nat inside source list command. However, external users cannot reach the internal web server. What is the most likely cause?

Question 11easymultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring NAT on a Cisco router to allow internal hosts to access the internet. The engineer uses the command ip nat inside source list 100 interface GigabitEthernet0/0 overload, where access list 100 permits only the 10.0.0.0/8 network. After testing, hosts in the 10.0.0.0/8 network can access the internet, but hosts in the 172.16.0.0/16 network cannot. The engineer verifies that the 172.16.0.0/16 hosts have connectivity to the router. What is the most likely cause?

Question 12mediummultiple choice
Read the full NAT/PAT explanation →

Consider the following configuration snippet: ```

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

!

interface GigabitEthernet0/2
 ip address 203.0.113.1 255.255.255.0
 ip nat outside

!

ip nat inside source list 1 interface GigabitEthernet0/2 overload
access-list 1 permit 192.168.1.0 0.0.0.255

``` What is the effect of this configuration?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

Analyze this NAT configuration: ```

ip nat pool GLOBAL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
ip nat inside source list 1 pool GLOBAL overload
access-list 1 permit 192.168.1.0 0.0.0.255

``` Which statement is correct?

Question 14mediummultiple choice
Study the full multicast explanation →

Given the following partial configuration on a Cisco IOS-XE router:

ip pim rp-address 10.0.0.1 10
access-list 10 permit 224.0.0.0 0.255.255.255

!

interface GigabitEthernet0/0
 ip pim sparse-mode

!

What is the effect of this configuration?

Question 15mediummultiple choice
Study the full multicast explanation →

Examine the following configuration snippet:

ip pim send-rp-announce Loopback0 scope 10 group-list 10
ip pim send-rp-discovery scope 10
access-list 10 permit 239.0.0.0 0.255.255.255

!

interface Loopback0
 ip address 192.168.0.1 255.255.255.255
 ip pim sparse-mode

!

What is the purpose of this configuration?

These 350-401 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-401 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.