350-401 · topic practice

ACLs and CoPP practice questions

Practise 350-401 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: ACLs and CoPP

What the exam tests

What to know about ACLs and CoPP

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Why learners struggle

Why ACLs and CoPP questions are commonly missed

ACL questions are missed when learners apply the wrong direction, overlook the implicit deny, or confuse standard ACL source-only matching with extended ACL protocol and destination matching. A single out-of-order rule or wrong interface direction makes an otherwise correct ACL fail.

  • ·Top-down first-match processing — rule order matters; the first match ends evaluation
  • ·Implicit deny — all traffic not explicitly permitted is denied at the end of every ACL
  • ·Standard ACLs match source address only — destination, protocol, and port are not considered
  • ·Extended ACLs match source, destination, protocol, and port — giving finer control
  • ·Inbound vs outbound — applying the ACL in the wrong direction blocks the wrong traffic
  • ·Standard ACLs placed near the destination to avoid blocking other traffic unnecessarily

Watch out for

Common ACLs and CoPP exam traps

  • ACLs are processed from top to bottom; the first match wins.
  • There is an implicit deny at the end of most ACLs.
  • Standard ACLs match source only, while extended ACLs can match protocol, source, destination and ports.
  • Applying an ACL in the wrong direction can make a correct ACL look broken.

Practice set

ACLs and CoPP questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting an issue where SSH access to a Cisco router from a specific management subnet (10.10.10.0/24) is intermittently failing. The router has a CoPP policy applied to the control plane. The engineer checks the CoPP statistics and sees that packets from the management subnet are being dropped by the control-plane service-policy. Which configuration change should the engineer make to allow SSH from the management subnet while still protecting the control plane?

Question 2mediummultiple choice
Study the full ACL explanation →

An enterprise network uses a Cisco Catalyst 9300 switch as a distribution layer device. The network team notices that ICMP echo requests from a monitoring server (192.168.1.100) to the switch's management IP are being dropped intermittently. The switch has a CoPP policy that includes a class-map matching ICMP traffic. The engineer checks the CoPP statistics and sees that ICMP packets from the monitoring server are being dropped by the policy. What is the most likely cause of this issue?

Question 3hardmultiple choice
Open the full BGP breakdown →

A network engineer is configuring CoPP on a Cisco ASR 1000 router to protect the control plane from excessive traffic. The engineer wants to allow BGP traffic from a specific peer (10.0.0.1) while rate-limiting all other BGP traffic. The engineer creates an ACL that permits TCP port 179 from host 10.0.0.1 and denies all other BGP traffic. The CoPP class-map matches this ACL. However, after applying the policy, BGP sessions from other peers are still being established. What is the most likely reason?

Question 4easymultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting a connectivity issue between two VLANs on a Cisco Catalyst 3850 switch. The switch has an ACL applied to VLAN 10 that permits traffic from VLAN 20 to VLAN 10, but denies all other traffic. Hosts in VLAN 20 can ping hosts in VLAN 10, but not vice versa. The engineer checks the ACL and finds that it is applied inbound on VLAN 10. What is the most likely cause of the issue?

Question 5hardmultiple choice
Study the full ACL explanation →

A network engineer is configuring CoPP on a Cisco Nexus 9000 switch to protect the control plane from a potential DoS attack. The engineer creates a class-map that matches traffic with a specific DSCP value (AF41) and applies a police rate of 10 Mbps. After applying the policy, the engineer notices that legitimate traffic with DSCP AF41 is being dropped even though the traffic rate is only 5 Mbps. What is the most likely cause?

Question 6mediummultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting an issue where a Cisco router is not responding to SNMP polls from a network management station (NMS) at 192.168.1.50. The router has a CoPP policy that includes a class-map matching SNMP traffic (UDP port 161). The engineer checks the CoPP statistics and sees that SNMP packets from the NMS are being dropped. The engineer wants to allow SNMP from the NMS while still protecting the control plane. Which configuration change should the engineer make?

Question 7easymultiple choice
Study the full ACL explanation →

A network engineer is configuring ACLs on a Cisco router to filter traffic between two subnets. The engineer wants to allow HTTP traffic from subnet 10.1.1.0/24 to subnet 10.2.2.0/24, but deny all other traffic. The engineer applies an ACL inbound on the interface connected to subnet 10.1.1.0/24. The ACL has a permit statement for TCP port 80 from 10.1.1.0/24 to 10.2.2.0/24, followed by a deny ip any any. However, hosts in subnet 10.1.1.0/24 can still ping hosts in subnet 10.2.2.0/24. What is the most likely reason?

Question 8hardmultiple choice
Study the full ACL explanation →

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The engineer creates a class-map that matches traffic with a specific ACL that permits TCP port 22 (SSH) from a management subnet (192.168.1.0/24) and denies all other traffic. The CoPP policy applies a police rate of 1 Mbps to this class. After applying the policy, the engineer notices that SSH sessions from the management subnet are being dropped intermittently. The engineer checks the CoPP statistics and sees that the traffic rate is 500 kbps. What is the most likely cause?

Question 9easymultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where a Cisco router is not forwarding traffic between two VLANs. The router has an ACL applied to the subinterface for VLAN 100 that permits traffic from VLAN 200 to VLAN 100, but denies all other traffic. Hosts in VLAN 200 can ping hosts in VLAN 100, but hosts in VLAN 100 cannot ping hosts in VLAN 200. The engineer checks the ACL and finds that it is applied inbound on the subinterface for VLAN 100. What is the most likely cause of the issue?

Question 10mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show access-lists

Extended IP access list 101

10 permit tcp host 10.1.1.1 host 192.168.1.100 eq 80 (4 matches)
    
20 deny tcp any host 192.168.1.100 eq 80 (12 matches)
    
30 permit ip any any (8 matches)

Based on this output, what can be concluded?

Question 11hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show policy-map control-plane

Control Plane

Service-policy input: CoPP-POLICY

Class-map: ICMP-CLASS (match-all) 10 packets, 1000 bytes 5 minute offered rate 0 bps Match: access-group name ICMP-ACL police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 10 packets, 1000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop

Class-map: SSH-CLASS (match-all) 5 packets, 500 bytes 5 minute offered rate 0 bps Match: access-group name SSH-ACL police: cir 16000 bps, bc 3000 bytes, be 3000 bytes conformed 5 packets, 500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop

Class-map: class-default (match-any) 20 packets, 2000 bytes 5 minute offered rate 0 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 20 packets, 2000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop

Based on this output, what can be concluded?

Question 12mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip interface GigabitEthernet0/0 | include access list

Inbound access list is 101 Outbound access list is not set

R1# show access-lists 101

Extended IP access list 101

10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches)
    
20 deny tcp any any eq 80 (50 matches)
    
30 permit ip any any (200 matches)

Based on this output, what can be concluded?

Question 13mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 120

10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 (5 matches)
    
20 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (3 matches)
    
30 deny tcp any any eq 22 (2 matches)
    
40 permit ip any any (10 matches)

Based on this output, what can be concluded?

Question 14mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show access-lists 130

Extended IP access list 130

10 permit icmp host 10.1.1.1 any echo (8 matches)
    
20 permit icmp host 10.1.1.1 any echo-reply (5 matches)
    
30 deny icmp any any (3 matches)
    
40 permit ip any any (12 matches)

Based on this output, what can be concluded?

Question 15hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show policy-map control-plane

Control Plane

Service-policy input: CoPP-POLICY

Class-map: MGMT-CLASS (match-all) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: access-group name MGMT-ACL police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 80 packets, 4000 bytes; actions: transmit exceeded 15 packets, 750 bytes; actions: drop violated 5 packets, 250 bytes; actions: drop

Class-map: class-default (match-any) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: any police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 200 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop

Based on this output, what can be concluded?

Question 16mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip interface GigabitEthernet0/1 | include access list

Inbound access list is not set Outbound access list is 140

R1# show access-lists 140

Extended IP access list 140

10 permit tcp 192.168.1.0 0.0.0.255 any eq 443 (25 matches)
    
20 deny tcp any any eq 443 (10 matches)
    
30 permit ip any any (50 matches)

Based on this output, what can be concluded?

Question 17hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip access-lists

Extended IP access list 150

10 permit tcp 10.0.0.0 0.255.255.255 any eq 23 (2 matches)
    
20 deny tcp any any eq 23 (8 matches)
    
30 permit tcp 172.16.0.0 0.0.255.255 any eq 22 (4 matches)
    
40 deny tcp any any eq 22 (1 match)
    
50 permit ip any any (15 matches)

Based on this output, what can be concluded?

Question 18hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R1:

R1# show policy-map control-plane

Control Plane

Service-policy input: CoPP-POLICY

Class-map: BGP-CLASS (match-all) 50 packets, 2500 bytes 5 minute offered rate 500 bps Match: access-group name BGP-ACL police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 50 packets, 2500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop

Class-map: SNMP-CLASS (match-all) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: access-group name SNMP-ACL police: cir 16000 bps, bc 2000 bytes, be 2000 bytes conformed 150 packets, 7500 bytes; actions: transmit exceeded 40 packets, 2000 bytes; actions: drop violated 10 packets, 500 bytes; actions: drop

Class-map: class-default (match-any) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: any police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 100 packets, 5000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop

Based on this output, what can be concluded?

Question 19mediummultiple choice
Study the full ACL explanation →

Examine the following configuration snippet:

interface GigabitEthernet0/1
 ip access-group FILTER_IN in

!

ip access-list extended FILTER_IN
 deny   icmp any any echo
 permit ip any any

What is the effect of this configuration?

Question 20mediummultiple choice
Study the full ACL explanation →

Consider the following configuration:

ip access-list extended BLOCK_TELNET
 deny tcp any any eq 23
 permit ip any any

!

interface GigabitEthernet0/2
 ip access-group BLOCK_TELNET out

Which statement is true?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused ACLs and CoPP sessions

Start a ACLs and CoPP only practice session

Every question in these sessions is drawn from the ACLs and CoPP domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about ACLs and CoPP?
ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just ACLs and CoPP questions in a focused session?
Yes — the session launcher on this page draws every question from the ACLs and CoPP domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.