CCNA Acls And Copp Questions

58 questions · Acls And Copp topic · All types, answers revealed

1
MCQhard

A network engineer is configuring CoPP on a Cisco Nexus 9000 switch to protect the control plane from a potential DoS attack. The engineer creates a class-map that matches traffic with a specific DSCP value (AF41) and applies a police rate of 10 Mbps. After applying the policy, the engineer notices that legitimate traffic with DSCP AF41 is being dropped even though the traffic rate is only 5 Mbps. What is the most likely cause?

A.The CoPP policy has a conform-action of drop, which drops all traffic matching the class.
B.The police rate is too low, and the traffic is being dropped due to exceeding the rate.
C.The DSCP value AF41 is not supported on Nexus switches.
D.The CoPP policy is applied to the wrong queue, causing all traffic to be dropped.
AnswerA

Correct because if the conform-action is set to drop, all traffic in that class is dropped, even if it is within the police rate.

Why this answer

The correct answer is that the CoPP policy is using a conform-action of drop, which drops all traffic that matches the class, regardless of rate. Option B is incorrect because the police rate is not exceeded. Option C is incorrect because DSCP AF41 is a valid value.

Option D is incorrect because CoPP does not require a specific queue; it uses policing.

2
MCQmedium

An enterprise network uses a Cisco Catalyst 9300 switch as a distribution layer device. The network team notices that ICMP echo requests from a monitoring server (192.168.1.100) to the switch's management IP are being dropped intermittently. The switch has a CoPP policy that includes a class-map matching ICMP traffic. The engineer checks the CoPP statistics and sees that ICMP packets from the monitoring server are being dropped by the policy. What is the most likely cause of this issue?

A.The CoPP policy is policing ICMP traffic to a rate that is too low for the monitoring server's traffic.
B.An ACL applied to the management interface is blocking ICMP from the monitoring server.
C.The monitoring server is sending ICMP packets with a TTL of 1, causing them to be dropped.
D.The switch's CPU is overloaded, causing CoPP to drop all packets.
AnswerA

Correct because CoPP polices traffic to the control plane; if the rate is too low, legitimate ICMP packets may be dropped.

Why this answer

The correct answer is that the CoPP policy is policing ICMP traffic to a rate that is too low for the monitoring server's traffic. Option B is incorrect because the ACL is not mentioned as blocking ICMP. Option C is incorrect because the monitoring server is not the source of the issue; it is the target.

Option D is incorrect because the switch's CPU is not necessarily overloaded; the drops are due to CoPP policing.

3
Multi-Selectmedium

Which two statements about Control Plane Policing (CoPP) are true? (Choose two.)

Select 2 answers
A.CoPP applies QoS policy-map logic to traffic that is destined to the control plane of the router.
B.CoPP is configured under the 'control-plane' global configuration mode.
C.CoPP can be applied to both IPv4 and IPv6 traffic in a single policy-map.
D.CoPP is applied to traffic transiting the router, not to traffic originated by the router.
E.The default action for CoPP is to permit all control-plane traffic.
AnswersA, B

Correct because CoPP uses MQC (Modular QoS CLI) to classify and police control-plane-bound traffic.

Why this answer

CoPP protects the control plane by policing traffic destined to it. The correct answers describe its location and default behavior. The incorrect options confuse CoPP with data-plane ACLs or misstate the default action.

4
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/0 | include access list Inbound access list is 101 Outbound access list is not set R1# show access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches) 20 deny tcp any any eq 80 (50 matches) 30 permit ip any any (200 matches) Based on this output, what can be concluded?

A.HTTP traffic from sources outside 192.168.1.0/24 is denied.
B.All HTTP traffic is permitted.
C.The ACL is applied outbound on the interface.
D.The ACL permits all traffic from 192.168.1.0/24.
AnswerA

Entry 20 denies all HTTP traffic not matching entry 10, so any HTTP from other subnets is denied.

Why this answer

ACL 101 is applied inbound on GigabitEthernet0/0. It permits HTTP from subnet 192.168.1.0/24 to any destination, denies all other HTTP, and permits all other IP traffic. The match counts show 100 HTTP packets from the subnet, 50 denied HTTP packets from other sources, and 200 other packets permitted.

The correct answer is that HTTP traffic from sources outside 192.168.1.0/24 is denied.

5
Multi-Selecthard

Which three statements about extended ACLs on Cisco IOS are true? (Choose three.)

Select 3 answers
A.Extended ACLs can filter based on source and destination IP addresses.
B.Extended ACLs can filter based on TCP or UDP port numbers.
C.Extended ACLs are processed in order until a matching permit or deny statement is found.
D.Extended ACLs can filter based on source MAC addresses.
E.Extended ACLs only filter traffic based on the source IP address.
AnswersA, B, C

Correct because extended ACLs evaluate both source and destination addresses.

Why this answer

Extended ACLs can filter based on source and destination IP addresses, protocol, and port numbers. They are processed sequentially until a match is found, and an implicit deny any is at the end. They can be applied to interfaces using the 'ip access-group' command.

Extended ACLs cannot filter based on MAC addresses; that is done by MAC ACLs. They are not limited to source-only filtering.

6
Multi-Selecthard

Which three statements about CoPP configuration and operation are true? (Choose three.)

Select 3 answers
A.CoPP uses a class map to classify traffic destined for the control plane.
B.CoPP uses the 'police' command within a policy map to rate-limit traffic.
C.The 'control-plane' command is used to enter control plane configuration mode.
D.CoPP is applied using the 'ip access-group' command on the control plane interface.
E.CoPP can only filter IPv4 traffic.
AnswersA, B, C

Correct because class maps define traffic classes using match statements, often referencing ACLs.

Why this answer

CoPP uses a class map to match traffic (often with ACLs) and a policy map to define actions. The policy map is applied to the control plane. CoPP can police traffic to a specific rate using the 'police' command.

The 'control-plane' command enters the control plane configuration mode. CoPP does not use 'ip access-group' on the control plane. CoPP can be applied to both IPv4 and IPv6 traffic.

7
MCQeasy

A network engineer is configuring ACLs on a Cisco router to filter traffic between two subnets. The engineer wants to allow HTTP traffic from subnet 10.1.1.0/24 to subnet 10.2.2.0/24, but deny all other traffic. The engineer applies an ACL inbound on the interface connected to subnet 10.1.1.0/24. The ACL has a permit statement for TCP port 80 from 10.1.1.0/24 to 10.2.2.0/24, followed by a deny ip any any. However, hosts in subnet 10.1.1.0/24 can still ping hosts in subnet 10.2.2.0/24. What is the most likely reason?

A.The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering.
B.The ACL is missing a deny statement for ICMP, so ICMP traffic is implicitly permitted.
C.The ACL permits HTTP, but ping uses ICMP, which is not HTTP, so ping should be denied.
D.The ACL is applied to the wrong interface; it should be applied to the interface connected to subnet 10.2.2.0/24.
AnswerA

Correct because if the ACL is applied outbound, it filters traffic leaving the interface; ping traffic from 10.1.1.0/24 to 10.2.2.0/24 would be leaving the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied outbound, the deny ip any any would block ping, so this might not be the issue. Actually, the most likely reason is that the ACL is applied outbound, but the scenario says inbound, so the engineer might have misapplied it.

Why this answer

The correct answer is that the ACL only filters traffic entering the interface; ping traffic is also entering the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied inbound, it should block ping. The most likely reason is that the ACL is applied outbound on the interface, not inbound.

Option B is incorrect because the ACL order is correct. Option C is incorrect because ICMP is not HTTP. Option D is incorrect because the ACL is applied to the interface, not the subnet.

8
Matchingmedium

Drag and drop each ACL action on the left to its matching result on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Packet is allowed to pass through the ACL

Packet is discarded and not forwarded

Adds a descriptive comment to the ACL entry

Generates a syslog message when a packet matches the entry

Assigns a numeric identifier to the ACL line for insertion/deletion

Why these pairings

Permit allows the packet; Deny discards the packet; Remark adds a comment; Log generates a log message for matched packets; Sequence-number assigns a line number for editing.

9
Matchingeasy

Drag and drop each protocol number on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Internet Control Message Protocol (ICMP)

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Open Shortest Path First (OSPF)

Enhanced Interior Gateway Routing Protocol (EIGRP)

Why these pairings

Protocol 1 is ICMP, 6 is TCP, 17 is UDP, 89 is OSPF, 88 is EIGRP.

10
Drag & Dropmedium

Drag and drop the steps of configuring a standard ACL for traffic filtering on a Cisco IOS router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Standard ACLs are configured by first entering global config, defining the ACL with permit/deny statements, then applying it to an interface in the correct direction. Verification confirms the ACL is active.

11
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: ICMP-CLASS (match-all) 10 packets, 1000 bytes 5 minute offered rate 0 bps Match: access-group name ICMP-ACL police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 10 packets, 1000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: SSH-CLASS (match-all) 5 packets, 500 bytes 5 minute offered rate 0 bps Match: access-group name SSH-ACL police: cir 16000 bps, bc 3000 bytes, be 3000 bytes conformed 5 packets, 500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: class-default (match-any) 20 packets, 2000 bytes 5 minute offered rate 0 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 20 packets, 2000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

A.ICMP traffic to the control plane is rate-limited to 8 kbps, and all packets so far have been within the conform rate.
B.SSH traffic to the control plane is being dropped because it exceeds the CIR.
C.The control-plane policy is applied in the output direction.
D.All traffic to the control plane is rate-limited to 64 kbps.
AnswerA

The police command shows a CIR of 8000 bps for ICMP, and the conformed count equals the total packets, meaning no packets exceeded the rate.

Why this answer

The output shows a CoPP policy applied to the control plane. The ICMP class has a CIR of 8 kbps, and all 10 ICMP packets conformed. The SSH class has a higher CIR of 16 kbps.

The class-default has a CIR of 64 kbps. The correct answer is that ICMP traffic to the control plane is rate-limited to 8 kbps, and all packets so far have been within the conform rate.

12
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: MGMT-CLASS (match-all) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: access-group name MGMT-ACL police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 80 packets, 4000 bytes; actions: transmit exceeded 15 packets, 750 bytes; actions: drop violated 5 packets, 250 bytes; actions: drop Class-map: class-default (match-any) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 200 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

A.Management traffic to the control plane is being policed, and some packets are being dropped because they exceed the configured rate.
B.All management traffic is being transmitted without drops.
C.The policer is configured in the output direction.
D.The class-default is dropping packets.
AnswerA

The policer shows 80 conformed and 20 exceeded/violated packets, meaning 20 packets were dropped due to exceeding the CIR.

Why this answer

The MGMT class has a CIR of 32 kbps. Out of 100 packets, 80 conformed and were transmitted, while 20 exceeded or violated and were dropped. This indicates that the traffic rate exceeded the policer's CIR, causing drops.

The correct answer is that management traffic to the control plane is being policed, and some packets are being dropped because they exceed the configured rate.

13
MCQmedium

Given the following configuration: ip access-list extended FILTER permit tcp any host 10.1.1.1 eq 22 permit icmp any any echo-reply ! interface GigabitEthernet0/4 ip access-group FILTER in What traffic is permitted?

A.Only SSH traffic to 10.1.1.1 is permitted.
B.SSH to 10.1.1.1 and ICMP Echo Reply are permitted.
C.All ICMP traffic is permitted.
D.Only traffic from host 10.1.1.1 is permitted.
AnswerB

Both permit statements are valid and allow the specified traffic.

Why this answer

The ACL permits TCP traffic to host 10.1.1.1 on port 22 (SSH) and ICMP Echo Reply messages from any source.

14
MCQhard

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The engineer creates a class-map that matches traffic with a specific ACL that permits TCP port 22 (SSH) from a management subnet (192.168.1.0/24) and denies all other traffic. The CoPP policy applies a police rate of 1 Mbps to this class. After applying the policy, the engineer notices that SSH sessions from the management subnet are being dropped intermittently. The engineer checks the CoPP statistics and sees that the traffic rate is 500 kbps. What is the most likely cause?

A.The CoPP policy has a conform-action of drop, which drops all traffic matching the class.
B.The police rate is too low, and the traffic is being dropped due to exceeding the rate.
C.The ACL is denying SSH traffic from the management subnet.
D.The CoPP policy is applied to the wrong interface, so it is not affecting SSH traffic.
AnswerA

Correct because if the conform-action is set to drop, all traffic in that class is dropped, even if it is within the police rate.

Why this answer

The correct answer is that the CoPP policy has a conform-action of drop, which drops all traffic matching the class, regardless of rate. Option B is incorrect because the traffic rate is below the police rate. Option C is incorrect because the ACL permits SSH from the management subnet.

Option D is incorrect because the CoPP policy is applied to the control plane, not an interface.

15
MCQhard

A network engineer is configuring CoPP on a Cisco ASR 1000 router to protect the control plane from excessive traffic. The engineer wants to allow BGP traffic from a specific peer (10.0.0.1) while rate-limiting all other BGP traffic. The engineer creates an ACL that permits TCP port 179 from host 10.0.0.1 and denies all other BGP traffic. The CoPP class-map matches this ACL. However, after applying the policy, BGP sessions from other peers are still being established. What is the most likely reason?

A.The ACL denies all other BGP traffic, so CoPP does not match it, and it falls through to the default class, which permits it.
B.The ACL is applied in the wrong order; the deny statement should be before the permit statement.
C.BGP uses UDP port 179, not TCP, so the ACL does not match BGP traffic.
D.CoPP does not affect BGP sessions because they are established before the policy is applied.
AnswerA

Correct because CoPP only applies to traffic matched by the class-map; if the ACL denies traffic, it is not matched, and the default class (often permit) allows it.

Why this answer

The correct answer is that the ACL only matches traffic from the specific peer, but CoPP class-maps match traffic based on the ACL; if the ACL denies other BGP traffic, CoPP will not match it, and it will be processed by the default class, which may permit it. Option B is incorrect because the ACL order is not the issue. Option C is incorrect because BGP uses TCP port 179, not UDP.

Option D is incorrect because CoPP does not affect routing protocol sessions directly; it only polices traffic to the control plane.

16
MCQmedium

Review the ACL configuration: ip access-list extended TEST permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 deny ip any any ! interface GigabitEthernet0/3 ip access-group TEST in What is missing or incorrect?

A.The ACL should use a wildcard mask of 255.255.255.0 instead of 0.0.0.255.
B.The deny ip any any is redundant because ACLs have an implicit deny at the end.
C.The ACL must be applied outbound to filter incoming traffic.
D.The ACL should use the keyword 'established' to allow return traffic.
AnswerB

The explicit deny is unnecessary but not incorrect; the implicit deny already blocks all other traffic.

Why this answer

The ACL permits HTTP and HTTPS from 192.168.1.0/24 to any destination, but denies all other traffic. The configuration is syntactically correct.

17
MCQmedium

A network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp host 10.1.1.1 host 192.168.1.100 eq 80 (4 matches) 20 deny tcp any host 192.168.1.100 eq 80 (12 matches) 30 permit ip any any (8 matches) Based on this output, what can be concluded?

A.HTTP traffic from 10.1.1.1 to 192.168.1.100 is permitted, but all other HTTP traffic to that host is denied.
B.All HTTP traffic to 192.168.1.100 is denied.
C.All traffic from 10.1.1.1 to 192.168.1.100 is permitted.
D.The ACL is applied inbound on an interface.
AnswerA

The first entry permits HTTP from 10.1.1.1 to 192.168.1.100, and the second denies all other HTTP to that host. The third entry permits all other traffic, but it does not override the deny for HTTP because ACLs are processed top-down until a match is found.

Why this answer

ACL 101 has three entries. The first permits HTTP from a specific host, the second denies HTTP from any source to that host, and the third permits all other IP traffic. The match counts show that 4 packets matched the permit, 12 matched the deny, and 8 matched the final permit.

The correct answer is that HTTP traffic from 10.1.1.1 to 192.168.1.100 is permitted, but all other HTTP traffic to that host is denied.

18
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet0/1 ip access-group FILTER_IN in ! ip access-list extended FILTER_IN deny icmp any any echo permit ip any any What is the effect of this configuration?

A.It blocks all ICMP traffic inbound on GigabitEthernet0/1.
B.It blocks inbound ICMP Echo requests on GigabitEthernet0/1.
C.It blocks all inbound traffic on GigabitEthernet0/1.
D.It blocks outbound ICMP Echo requests on GigabitEthernet0/1.
AnswerB

The deny statement matches ICMP Echo (ping request) and the permit statement allows all other traffic.

Why this answer

The ACL denies ICMP Echo (ping) inbound on GigabitEthernet0/1 while permitting all other IP traffic.

19
Matchingmedium

Drag and drop each ACL type on the left to its matching capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters based on source IP address only

Filters based on source/destination IP, protocol, and port numbers

Allows identification by alphanumeric name instead of number

Applies a time range to restrict access during specific periods

Authenticates a user and then opens a temporary hole in the firewall

Why these pairings

Standard ACLs filter only source IP; Extended ACLs filter source/dest IP, protocol, and ports; Named ACLs allow identification by name; Time-based ACLs use time ranges; Dynamic ACLs authenticate per-user.

20
Drag & Dropmedium

Drag and drop the steps of CoPP policy evaluation order into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP evaluates packets against class maps in sequential order. The first match determines the action. The default class is processed last if no match occurs.

21
MCQmedium

A network engineer runs the following command on Router R1: R1# show access-lists 130 Extended IP access list 130 10 permit icmp host 10.1.1.1 any echo (8 matches) 20 permit icmp host 10.1.1.1 any echo-reply (5 matches) 30 deny icmp any any (3 matches) 40 permit ip any any (12 matches) Based on this output, what can be concluded?

A.ICMP packets from sources other than 10.1.1.1 are denied.
B.All ICMP traffic is permitted.
C.The ACL permits all traffic from 10.1.1.1.
D.The ACL is applied inbound on an interface.
AnswerA

Entry 30 denies all ICMP not matching entries 10 or 20, so any ICMP from other sources is denied.

Why this answer

ACL 130 permits ICMP echo and echo-reply only from host 10.1.1.1, denies all other ICMP, and permits all other IP traffic. The match counts show 8 echo packets from 10.1.1.1, 5 echo-reply packets from 10.1.1.1, 3 denied ICMP packets from other sources, and 12 other packets permitted. The correct answer is that ICMP packets from sources other than 10.1.1.1 are denied.

22
Matchingeasy

Drag and drop each protocol number on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

ICMP

TCP

UDP

OSPF

IGMP

Why these pairings

Protocol 1 is ICMP, 6 is TCP, 17 is UDP, 89 is OSPF, 2 is IGMP.

23
Multi-Selecthard

Which two statements about the interaction between ACLs and CoPP are true? (Choose two.)

Select 2 answers
A.ACLs are used in CoPP class-maps to match specific control-plane traffic types.
B.CoPP can rate-limit ICMP packets destined to the router by using an ACL to match ICMP in the class-map.
C.ACLs applied to interfaces take precedence over CoPP policies for control-plane traffic.
D.CoPP can only use extended ACLs, not standard ACLs, for classification.
E.CoPP policies are applied globally and affect all traffic entering the router, including transit traffic.
AnswersA, B

Correct because CoPP uses class-maps that reference ACLs to identify traffic such as SSH, SNMP, or routing protocol packets.

Why this answer

ACLs are used within CoPP to classify control-plane traffic. CoPP can protect against DoS attacks, and ACLs provide the classification. The incorrect options misstate the order of processing or the scope of CoPP.

24
MCQmedium

Which BGP attribute is preferred when it has the lowest value?

A.Weight
B.Local Preference
C.MED (Multi-Exit Discriminator)
D.Origin
AnswerC

Lower MED is preferred when paths are from the same AS.

Why this answer

In BGP path selection, a lower weight is preferred over a higher weight.

25
Drag & Dropmedium

Drag and drop the steps of deploying a CoPP policy on a Cisco IOS-XE router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Deploying CoPP requires first defining ACLs to classify traffic, then creating class maps, then a policy map, then applying it to the control plane, and finally verifying the policy.

26
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: BGP-CLASS (match-all) 50 packets, 2500 bytes 5 minute offered rate 500 bps Match: access-group name BGP-ACL police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 50 packets, 2500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: SNMP-CLASS (match-all) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: access-group name SNMP-ACL police: cir 16000 bps, bc 2000 bytes, be 2000 bytes conformed 150 packets, 7500 bytes; actions: transmit exceeded 40 packets, 2000 bytes; actions: drop violated 10 packets, 500 bytes; actions: drop Class-map: class-default (match-any) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: any police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 100 packets, 5000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

A.SNMP traffic to the control plane is experiencing drops due to exceeding its policer rate, while BGP traffic is within its rate.
B.BGP traffic is being dropped because it exceeds the CIR.
C.All traffic to the control plane is being dropped.
D.The control-plane policy is applied in the output direction.
AnswerA

The SNMP class shows 150 conformed and 50 dropped (exceeded+violated), while BGP shows all 50 conformed.

Why this answer

The BGP class has a CIR of 64 kbps and all 50 packets conformed. The SNMP class has a CIR of 16 kbps, but 50 out of 200 packets exceeded or violated, meaning 50 packets were dropped. The class-default has a CIR of 32 kbps and all 100 packets conformed.

The correct answer is that SNMP traffic to the control plane is experiencing drops due to exceeding its policer rate, while BGP traffic is within its rate.

27
Matchinghard

Drag and drop each IPv6 ACL feature on the left to its matching IPv4 equivalent on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

access-list (IPv4 numbered/named ACL)

permit/deny ip any any (IPv4)

sequence numbers (IPv4 ACL line numbering)

log (IPv4 ACL logging)

match protocol tcp (IPv4 extended ACL)

Why these pairings

IPv6 ACLs use ipv6 access-list instead of access-list; They match on IPv6 source/dest addresses; They support the same permit/deny actions; They can use named entries; They can log matches similarly.

28
Matchingmedium

Drag and drop each CoPP class on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries OSPF, EIGRP, BGP control plane packets

Carries SSH, SNMP, NTP, and Syslog traffic

Carries packets requiring CPU intervention (e.g., TTL expiry)

Catch-all for traffic not matching other classes

Reserved for high-priority control plane traffic

Why these pairings

CoPP classes map to specific traffic categories: routing protocol traffic, management traffic, exception traffic, and default catch-all.

29
Matchingeasy

Drag and drop each ACL action on the left to its matching result on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allows the packet to pass through the ACL

Discards the packet and optionally logs it

Adds a descriptive comment to the ACL entry

Generates a log message when the ACL entry is matched

Matches TCP packets with ACK or RST bit set

Why these pairings

Permit allows traffic, deny drops traffic, remark adds a comment, log records matches, and established matches TCP with ACK/RST set.

30
Multi-Selecteasy

Which three statements about named ACLs and their configuration are true? (Choose three.)

Select 3 answers
A.Named ACLs can be either standard or extended.
B.Named ACLs allow individual entries to be added, removed, or reordered using sequence numbers.
C.Named ACLs are entered in global configuration mode using the 'ip access-list' command.
D.Named ACLs automatically renumber entries when a new entry is inserted between existing entries.
E.Named ACLs can be applied to interfaces using the 'ip access-group' command with the keyword 'in' or 'out'.
AnswersA, B, C

Correct because named ACLs support both 'ip access-list standard' and 'ip access-list extended'.

Why this answer

Named ACLs offer flexibility in editing and naming. The correct answers cover their naming, editing capability, and support for both standard and extended types. The incorrect options confuse sequencing or the use of the 'ip access-list' command.

31
Matchinghard

Drag and drop each CoPP class on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects routing protocol packets like OSPF, BGP, EIGRP

Permits management traffic such as SSH, SNMP, and Telnet

Handles packets requiring CPU intervention (e.g., TTL expired, unreachable)

Matches any traffic not explicitly classified by other classes

Reserved for high-priority control plane traffic (e.g., LDP, RSVP)

Why these pairings

Routing class protects control plane routing protocols; Management class allows SSH/SNMP; Exception class handles packets that need CPU processing (e.g., TTL expiry); Default class matches all other traffic; Critical class is for high-priority control traffic.

32
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/1 | include access list Inbound access list is not set Outbound access list is 140 R1# show access-lists 140 Extended IP access list 140 10 permit tcp 192.168.1.0 0.0.0.255 any eq 443 (25 matches) 20 deny tcp any any eq 443 (10 matches) 30 permit ip any any (50 matches) Based on this output, what can be concluded?

A.HTTPS traffic from sources outside 192.168.1.0/24 is denied when exiting the interface.
B.All HTTPS traffic is permitted outbound.
C.The ACL is applied inbound on the interface.
D.The ACL permits all traffic from 192.168.1.0/24.
AnswerA

Entry 20 denies HTTPS from any source not matching entry 10, so HTTPS from other subnets is denied outbound.

Why this answer

ACL 140 is applied outbound on GigabitEthernet0/1. It permits HTTPS (port 443) from subnet 192.168.1.0/24 to any destination, denies all other HTTPS, and permits all other IP traffic. The match counts show 25 HTTPS packets from the subnet, 10 denied HTTPS packets from other sources, and 50 other packets permitted.

The correct answer is that HTTPS traffic from sources outside 192.168.1.0/24 is denied when exiting the interface.

33
MCQeasy

A network engineer is troubleshooting an issue where a Cisco router is not forwarding traffic between two VLANs. The router has an ACL applied to the subinterface for VLAN 100 that permits traffic from VLAN 200 to VLAN 100, but denies all other traffic. Hosts in VLAN 200 can ping hosts in VLAN 100, but hosts in VLAN 100 cannot ping hosts in VLAN 200. The engineer checks the ACL and finds that it is applied inbound on the subinterface for VLAN 100. What is the most likely cause of the issue?

A.The ACL is applied inbound on VLAN 100, so it only filters traffic entering VLAN 100, not traffic leaving VLAN 100.
B.The ACL is applied outbound on VLAN 100, so it filters traffic leaving VLAN 100, preventing replies.
C.The ACL is applied to the wrong subinterface; it should be applied to the subinterface for VLAN 200.
D.The ACL is blocking ICMP echo replies from VLAN 100 to VLAN 200.
AnswerA

Correct because inbound ACLs filter traffic entering the interface; traffic from VLAN 100 to VLAN 200 is leaving VLAN 100 and is not filtered.

Why this answer

The correct answer is that the ACL is applied inbound on VLAN 100, so it filters traffic entering VLAN 100; traffic from VLAN 200 to VLAN 100 is permitted, but traffic from VLAN 100 to VLAN 200 is not affected by this ACL. Option B is incorrect because the ACL is applied inbound, not outbound. Option C is incorrect because the ACL is applied to the subinterface, not the VLAN.

Option D is incorrect because the ACL does not affect routing between VLANs; it only filters traffic.

34
Drag & Dropmedium

Drag and drop the steps of ACL reflexive access list (dynamic inspection) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Reflexive ACLs work by evaluating outbound traffic, creating a reflexive entry, then applying inbound ACL to permit return traffic. The order ensures proper dynamic inspection.

35
Drag & Dropmedium

Drag and drop the steps of named ACL modification using sequence numbers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Named ACLs can be modified by inserting or deleting entries by sequence number. The correct order is: view current entries, delete the old entry, insert the new entry with a sequence number, verify, then save.

36
Multi-Selecthard

Which three statements about IPv4 ACLs on Cisco IOS are true? (Choose three.)

Select 3 answers
A.Standard ACLs can filter traffic based on source IP address only.
B.Extended ACLs can filter based on source and destination IP addresses, protocol, and port numbers.
C.An implicit deny any statement is automatically added at the end of every ACL.
D.ACL entries are processed from bottom to top, with the last match determining the action.
E.An ACL applied to an inbound interface filters traffic leaving that interface.
AnswersA, B, C

Correct because standard ACLs (numbered 1-99, 1300-1999) examine only the source IP address.

Why this answer

Standard ACLs filter only source IP, extended ACLs filter more fields, and the implicit deny is always present. The incorrect options confuse the order of processing or the placement of ACLs.

37
Multi-Selectmedium

Which two statements about Control Plane Policing (CoPP) are true? (Choose two.)

Select 2 answers
A.CoPP uses ACLs to match traffic destined for the control plane.
B.CoPP is applied as a service policy on the control plane interface.
C.CoPP can only be used to rate-limit traffic, not to drop it.
D.CoPP is applied to all physical interfaces to protect the data plane.
E.CoPP can only filter IPv4 traffic.
AnswersA, B

Correct because CoPP relies on ACLs to classify traffic that is sent to the control plane.

Why this answer

CoPP uses ACLs to classify traffic destined for the control plane and applies a policy map to rate-limit or drop that traffic. It protects the control plane from excessive or malicious traffic. The service policy is applied to the control plane, not to interfaces.

CoPP does not protect the data plane forwarding path; it only filters traffic that is punted to the control plane. CoPP can be applied to both IPv4 and IPv6 traffic.

38
Drag & Dropmedium

Drag and drop the steps of CoPP class-map match criteria and rate-limit application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP configuration requires defining class-maps first, then policy-map with police statements, then applying to control-plane. The order ensures proper traffic classification and rate-limiting.

39
MCQmedium

Given the following CoPP configuration: class-map match-all COPP_ICMP match access-group name ICMP_ACL ! policy-map COPP_POLICY class COPP_ICMP police 8000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP_POLICY What is the effect?

A.All ICMP traffic to the control plane is rate-limited to 8000 bps.
B.ICMP traffic is permitted unconditionally.
C.The policy is applied to all interfaces, not just the control plane.
D.The class-map is missing a match-all statement.
AnswerA

The police command sets a rate of 8000 bps; conforming traffic passes, excess is dropped.

Why this answer

This CoPP policy polices traffic matching class COPP_ICMP to 8000 bps; conforming traffic is transmitted, exceeding traffic is dropped.

40
MCQeasy

What is the maximum hop count for EIGRP?

A.100
B.255
C.15
D.Unlimited
AnswerB

EIGRP supports a maximum hop count of 255.

Why this answer

EIGRP uses a maximum hop count of 255, but the default is 100.

41
Drag & Dropmedium

Drag and drop the steps of named ACL modification using sequence numbers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Sequence numbers allow editing named ACLs without re-entering all entries. The correct order is: view current entries, insert a new entry at a specific sequence, then verify the updated ACL.

42
MCQmedium

Examine the CoPP configuration: class-map match-any COPP_SSH match access-group name SSH_ACL ! policy-map COPP_POLICY class COPP_SSH police 10000 conform-action transmit exceed-action drop class class-default police 5000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP_POLICY Which statement is true?

A.SSH traffic is limited to 10 kbps; all other control plane traffic is limited to 5 kbps.
B.All control plane traffic is limited to 10 kbps.
C.The class-default police rate is ignored because it is not explicitly matched.
D.The policy-map should be applied to an interface, not the control plane.
AnswerA

Class COPP_SSH has a police rate of 10000 bps, class-default has 5000 bps.

Why this answer

The policy applies two police rates: 10 kbps for SSH traffic and 5 kbps for all other control plane traffic.

43
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 120 10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 (5 matches) 20 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (3 matches) 30 deny tcp any any eq 22 (2 matches) 40 permit ip any any (10 matches) Based on this output, what can be concluded?

A.SSH access from 192.168.1.0/24 would be denied.
B.SSH access from 10.0.0.0/8 is denied.
C.All SSH traffic is permitted.
D.The ACL has an implicit deny at the end.
AnswerA

Entry 30 denies SSH from any source not matching entries 10 or 20, so 192.168.1.0/24 would be denied.

Why this answer

ACL 120 permits SSH (port 22) from 10.0.0.0/8 and 172.16.0.0/16, denies SSH from all other sources, and permits all other IP traffic. The match counts show 5 SSH packets from 10.x.x.x, 3 from 172.16.x.x, 2 denied SSH packets from other sources, and 10 other packets permitted. The correct answer is that SSH access from 192.168.1.0/24 would be denied.

44
MCQmedium

A network engineer is troubleshooting an issue where SSH access to a Cisco router from a specific management subnet (10.10.10.0/24) is intermittently failing. The router has a CoPP policy applied to the control plane. The engineer checks the CoPP statistics and sees that packets from the management subnet are being dropped by the control-plane service-policy. Which configuration change should the engineer make to allow SSH from the management subnet while still protecting the control plane?

A.Modify the CoPP ACL to include a permit statement for TCP port 22 from 10.10.10.0/24 before the deny statement.
B.Remove the deny statement from the CoPP ACL to allow all traffic.
C.Increase the police rate for the CoPP class that matches SSH traffic.
D.Remove the CoPP policy from the control plane and rely on interface ACLs.
AnswerA

Correct because this allows SSH traffic from the management subnet to be classified and permitted by the CoPP policy, preventing drops.

Why this answer

The correct answer adds an ACL entry to permit SSH from the management subnet before the deny statement, ensuring that SSH traffic is matched by the CoPP policy and not dropped. Option B is incorrect because removing the deny statement would leave the control plane unprotected. Option C is incorrect because increasing the police rate might not resolve the issue if the traffic is being dropped by an ACL deny.

Option D is incorrect because removing the CoPP policy entirely removes all protection.

45
Drag & Dropmedium

Drag and drop the steps of ACL reflexive access list (dynamic inspection) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Reflexive ACLs work by evaluating outbound traffic to create dynamic entries that allow return traffic. The order is: define extended ACL, apply outbound, define reflexive ACL, apply inbound, then the reflexive entry is created dynamically.

46
MCQeasy

What is the default OSPF hello interval on a broadcast multi-access network (e.g., Ethernet)?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

The default hello interval for OSPF on broadcast and point-to-point networks is 10 seconds.

Why this answer

OSPF defaults to a 10-second hello interval on broadcast and point-to-point networks.

47
Matchingmedium

Drag and drop each ACL type on the left to its matching capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters based on source IP address only

Filters based on source/destination IP, protocol, and port numbers

Allows alphanumeric naming for easier identification

Applies time-of-day restrictions to permit or deny traffic

Opens temporary holes for user authentication

Why these pairings

Standard ACLs filter only source IP; Extended ACLs filter source/dest IP, protocol, and ports; Named ACLs allow alphanumeric naming; Time-based ACLs restrict based on time of day.

48
Matchinghard

Drag and drop each IPv6 ACL feature on the left to its matching IPv4 ACL equivalent on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Equivalent to ip access-list extended in IPv4

Equivalent to deny ip in IPv4 extended ACL

Equivalent to permit tcp in IPv4 extended ACL

Equivalent to sequence number in IPv4 named ACL

Equivalent to implicit deny ip in IPv4 ACL

Why these pairings

IPv6 ACLs use similar logic but with IPv6-specific syntax: deny/ipv6, permit/ipv6, sequence numbers, and implicit deny.

49
MCQmedium

Consider the following configuration: ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ! interface GigabitEthernet0/2 ip access-group BLOCK_TELNET out Which statement is true?

A.Telnet traffic entering GigabitEthernet0/2 is blocked.
B.Telnet traffic leaving GigabitEthernet0/2 is blocked.
C.All outbound traffic is blocked.
D.The ACL is incorrectly applied; only named ACLs can be applied outbound.
AnswerB

The outbound ACL denies TCP port 23 (Telnet) on egress.

Why this answer

The ACL is applied outbound, so it filters traffic leaving the interface. Telnet (port 23) is denied, all other traffic permitted.

50
Drag & Dropmedium

Drag and drop the steps of IPv6 ACL configuration and application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IPv6 ACLs are created in global config, then applied to an interface in the inbound or outbound direction. The order follows standard Cisco IOS configuration sequence: create the ACL, then apply it.

51
Multi-Selecteasy

Which two statements about the 'ip access-group' command are true? (Choose two.)

Select 2 answers
A.The 'ip access-group' command applies an ACL to an interface in a specified direction.
B.The 'ip access-group' command can be applied to both physical interfaces and SVIs.
C.The 'ip access-group' command creates a new ACL if the named ACL does not exist.
D.The 'ip access-group' command can only filter traffic in the inbound direction.
E.The 'ip access-group' command is used to apply a CoPP policy to the control plane.
AnswersA, B

Correct because the command syntax is 'ip access-group {acl-name} {in|out}'.

Why this answer

The 'ip access-group' command is used to apply an ACL to an interface in a specific direction (in or out). It can be applied to both Layer 3 interfaces (routed ports) and SVIs. The ACL must already exist in the configuration.

The command does not create the ACL; it only applies it. The 'in' direction filters traffic entering the interface, and 'out' filters traffic leaving.

52
MCQmedium

A network engineer is troubleshooting an issue where a Cisco router is not responding to SNMP polls from a network management station (NMS) at 192.168.1.50. The router has a CoPP policy that includes a class-map matching SNMP traffic (UDP port 161). The engineer checks the CoPP statistics and sees that SNMP packets from the NMS are being dropped. The engineer wants to allow SNMP from the NMS while still protecting the control plane. Which configuration change should the engineer make?

A.Modify the CoPP ACL to include a permit statement for UDP port 161 from host 192.168.1.50 before the deny statement.
B.Increase the police rate for the CoPP class that matches SNMP traffic.
C.Remove the CoPP policy from the control plane and rely on interface ACLs.
D.Change the SNMP port on the router to a non-standard port to avoid the CoPP policy.
AnswerA

Correct because this allows SNMP traffic from the NMS to be classified and permitted by the CoPP policy.

Why this answer

The correct answer is to modify the CoPP ACL to permit SNMP from the NMS before the deny statement, ensuring that the traffic is matched and permitted. Option B is incorrect because increasing the police rate might not help if the traffic is being denied by an ACL. Option C is incorrect because removing the CoPP policy removes all protection.

Option D is incorrect because changing the SNMP port would require reconfiguring the NMS.

53
Drag & Dropmedium

Drag and drop the steps of uRPF (Unicast Reverse Path Forwarding) verification into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF verification involves checking CEF tables, interface configuration, and packet statistics. The order ensures systematic troubleshooting: start with global CEF, then interface config, then verification commands.

54
MCQeasy

A network engineer is troubleshooting a connectivity issue between two VLANs on a Cisco Catalyst 3850 switch. The switch has an ACL applied to VLAN 10 that permits traffic from VLAN 20 to VLAN 10, but denies all other traffic. Hosts in VLAN 20 can ping hosts in VLAN 10, but not vice versa. The engineer checks the ACL and finds that it is applied inbound on VLAN 10. What is the most likely cause of the issue?

A.The ACL is applied inbound on VLAN 10, so it only filters traffic entering VLAN 10, not traffic leaving VLAN 10.
B.The ACL is applied outbound on VLAN 10, so it filters traffic leaving VLAN 10, preventing replies.
C.The ACL is applied to the SVI for VLAN 10, but the hosts are in VLAN 10, so the ACL does not apply.
D.The ACL is blocking ICMP echo replies from VLAN 10 to VLAN 20.
AnswerA

Correct because inbound ACLs filter traffic entering the interface; traffic from VLAN 10 to VLAN 20 is leaving VLAN 10 and is not filtered.

Why this answer

The correct answer is that the ACL is applied inbound on VLAN 10, so it filters traffic entering VLAN 10; traffic from VLAN 20 to VLAN 10 is permitted, but traffic from VLAN 10 to VLAN 20 is not affected by this ACL. Option B is incorrect because the ACL is applied inbound, not outbound. Option C is incorrect because the ACL is applied to the VLAN, not the SVI.

Option D is incorrect because the ACL does not affect routing between VLANs; it only filters traffic.

55
Drag & Dropmedium

Drag and drop the steps of IPv6 ACL configuration and application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: create the ACL with deny/permit entries, apply it inbound on an interface, then verify with show commands. This follows standard Cisco IOS ACL configuration workflow.

56
Drag & Dropmedium

Drag and drop the steps of uRPF (Unicast Reverse Path Forwarding) verification into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF verification involves checking if it is enabled, verifying the routing table, testing with ping, checking counters, and interpreting results. The order follows a logical troubleshooting sequence.

57
Drag & Dropmedium

Drag and drop the steps of CoPP class-map match criteria and rate-limit application into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP configuration requires defining match criteria in a class-map, then creating a policy-map with police commands, and finally applying the policy to the control plane. The order follows standard MQC (Modular QoS CLI) process.

58
MCQhard

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 150 10 permit tcp 10.0.0.0 0.255.255.255 any eq 23 (2 matches) 20 deny tcp any any eq 23 (8 matches) 30 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (4 matches) 40 deny tcp any any eq 22 (1 match) 50 permit ip any any (15 matches) Based on this output, what can be concluded?

A.Telnet from 192.168.1.0/24 would be denied, and SSH from 10.0.0.0/8 would be denied.
B.Telnet from 10.0.0.0/8 is denied.
C.SSH from 172.16.0.0/16 is denied.
D.All traffic is permitted.
AnswerA

Telnet from 192.168.1.0/24 matches entry 20 (deny), and SSH from 10.0.0.0/8 does not match entry 30 (which permits only from 172.16.0.0/16), so it matches entry 40 (deny).

Why this answer

ACL 150 permits Telnet (port 23) from 10.0.0.0/8, denies Telnet from all other sources, permits SSH (port 22) from 172.16.0.0/16, denies SSH from all other sources, and permits all other IP traffic. The match counts show 2 Telnet packets from 10.x.x.x, 8 denied Telnet packets from other sources, 4 SSH packets from 172.16.x.x, 1 denied SSH packet from another source, and 15 other packets. The correct answer is that Telnet from 192.168.1.0/24 would be denied, and SSH from 10.0.0.0/8 would be denied because it does not match the SSH permit entry.

Ready to test yourself?

Try a timed practice session using only Acls And Copp questions.