Practise 350-601 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.
How to approach access control list (acl) scenarios
ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.
Quick answer
ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.
Standard versus extended ACL behaviour.
Top-down processing and the implicit deny rule.
Source, destination, protocol and port matching.
Inbound versus outbound ACL placement.
Related practice questions
Related 350-601 topic practice pages
Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.
A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?
A
Create a contract between EPGs with appropriate filters.
Contracts in ACI define allowed communication with filters for specific protocols/ports.
B
Use a tenant to separate the EPGs logically.
Why wrong: Tenants are administrative boundaries, not policy enforcement points.
C
Configure a VRF to isolate traffic between EPGs.
Why wrong: VRF provides routing separation, not granular filtering.
D
Define a bridge domain with L2 policies.
Why wrong: Bridge domain is for Layer 2 forwarding, not access control.
An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?
A
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Use vzAny for both EPGs.
Why wrong: vzAny is used for contracts applied to all EPGs; not required here and could overly permit traffic.
B
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Assign web_EPG as provider and app_EPG as consumer.
Why wrong: This would allow traffic from app to web, not web to app, unless filter is bidirectional.
C
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080' with direction 'both'. Assign web_EPG as provider and app_EPG as consumer.
Correct: provider sends traffic to consumer; filter permits TCP 8080; direction both allows response.
D
Create a contract with subject 'web_to_app' and apply filter 'ip'. Assign web_EPG as provider and app_EPG as consumer.
Why wrong: IP filter would permit all IP traffic, not just TCP 8080.
An organization is deploying a new ACI fabric. The design requires that traffic between EPGs in the same bridge domain be allowed by default, but traffic between EPGs in different bridge domains must be denied unless explicitly permitted. Which contract scope configuration meets this requirement?
A
Context (default)
Why wrong: Context scope restricts contract application to EPGs within the same bridge domain; cross-bridge-domain traffic would be denied regardless of contract.
B
Application-profile
Why wrong: Application-profile is not a valid contract scope in ACI.
C
Global
Why wrong: Global scope would allow contracts to apply across VRFs, which is too permissive and not typically recommended.
D
VRF
VRF scope allows contracts to apply across bridge domains within the same VRF; without a contract, traffic is denied, and with a contract, permitted.
A network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration:
ip access-list VACL-FILTER
10 permit ip any any
...
vlan access-map VACL-MAP 10
match ip address VACL-FILTER
action forward
vlan filter VACL-MAP vlan-list 10
What is the most likely reason for the connectivity failure?
A
The access-list permits all, so the VACL should work; perhaps the access-map is missing a default action.
Why wrong: The access-map has action forward, so it permits when matched. Default action is drop, but the ACL matches all, so it should forward. Not the likely cause.
B
The 'vlan filter' command is applied to VLAN 10 only, but the access-map is misconfigured.
Why wrong: The configuration appears correct; the issue is not the VACL configuration itself but its applicability.
C
The VACL is applied only to VLAN 10, so traffic from VLAN 20 to VLAN 10 is not filtered, but this should not cause a failure.
Why wrong: While true that the VACL is only on VLAN 10, the issue is that VACLs do not filter routed traffic, so this is not the root cause.
D
The VACL does not apply to traffic routed through the SVI; a Router ACL (RACL) must be used instead.
Correct. VACLs are only for Layer 2 bridging. For inter-VLAN routing, apply a RACL on the SVI interface.
A data center engineer configures an ACL on a Nexus 9000 switch to block all traffic from the management network (10.10.0.0/16) to the production servers (192.168.1.0/24) except for SSH access from a specific jump host (10.10.1.100). The ACL is applied inbound on the management interface. Which ACL entry is correctly ordered to achieve this requirement?
A
permit ip any any
deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
Why wrong: Permits all before deny, making deny useless.
B
permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
permit ip any any
deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
Why wrong: Permits all traffic after SSH, opening full access.
C
permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
permit ip any any
A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?
A
RADIUS
Why wrong: RADIUS uses UDP and does not encrypt entire packet; it combines authentication and authorization.
B
LDAP
Why wrong: LDAP is a directory access protocol, not designed for device AAA.
A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?
A
The contract is configured only on the provider EPG, but the consumer EPG is not consuming the contract.
The consumer EPG must also consume the contract; otherwise, traffic is denied.
B
The contract is applied to the wrong VRF.
Why wrong: Contracts are within a VRF, but the VRF is not the issue here.
C
The filter direction is set to both, but the contract is using an incorrect filter.
Why wrong: Filter direction likely not the cause if contract stats show no permits.
D
The endpoints are in different VMM domains.
Why wrong: VMM domains are not required for contract enforcement.
A network administrator implements the ACL shown. After verifying the ACL statistics, all counters show 0 matches. What is the most likely cause?
Exhibit
Refer to the exhibit.
! Nexus 9000 ACL configuration
ip access-list BLOCK_MGMT
10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
30 permit ip any any
interface Ethernet1/1
ip access-group BLOCK_MGMT in
description Management access to servers
! Output of 'show ip access-list BLOCK_MGMT'
IP access list BLOCK_MGMT
statistics per-entry
10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 (0 matches)
20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 (0 matches)
30 permit ip any any (0 matches)
A
The ACL entries are in the wrong order.
Why wrong: Order is proper: permit SSH first, deny rest, then permit all.
B
The ACL is applied to the wrong interface.
Ethernet1/1 is a management interface; production traffic likely uses other interfaces.
C
The 'permit ip any any' entry causes all traffic to be permitted before inspection.
Why wrong: Sequence number 30 is last; it would only match after previous entries are evaluated.
D
The ACL is applied outbound instead of inbound.
Why wrong: The configuration shows 'in', so it is inbound.
During a security audit, you discover that a Cisco Nexus 9000 switch is allowing traffic between two ports in the same VLAN despite having a VLAN ACL that should deny it. The VACL is applied correctly, and the ACL entries are properly configured. What is the most likely reason for this behavior?
A
VACLs only filter traffic between VLANs, not within the same VLAN.
VACLs filter inter-VLAN traffic; intra-VLAN traffic is not affected.
B
The VACL requires Layer 3 inspection to be enabled.
Why wrong: VACLs work at Layer 2 and do not require L3 inspection.
C
The switch does not support hardware VACL processing.
A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?
A
DHCP snooping is not enabled on the VLAN.
Why wrong: DHCP snooping is unrelated to SGT classification.
B
The ingress interface is missing the 'sgt' or 'ip policy' command to classify traffic.
Ingress interface must have 'sgt' or 'ip policy' to assign SGTs.
C
The switch ASIC does not support TrustSec in hardware.
Why wrong: Nexus 7000 generally supports TrustSec in hardware.
D
The SGT is assigned on the egress interface instead of ingress.
A small business SAN consists of a single Cisco MDS 9148S switch with 16 Gb Fibre Channel ports. The storage array has four active paths to the switch, and four servers each have two HBAs. The administrator wants to ensure that all paths are utilized and that no single point of failure exists. Currently, all devices are in a single VSAN and zoning is permissive (default deny). After powering on all devices, the administrator notices that the storage array only logs in on two of its four ports. The other two ports show 'no light'. The switch has not been configured with any port settings. What is the most likely cause?
A
The switch ports need to have their speed manually configured to match the array.
Why wrong: Even with auto-negotiation failure, there would be link failures, not no light.
B
The unused ports are in a different VSAN.
Why wrong: VSAN does not affect physical link state.
C
The zoning configuration prevents the array from logging in on those ports.
Why wrong: Zoning affects FC login after link is up, not link state.
D
The storage array's other two ports are not physically connected or are disabled on the array end.
No light indicates the link is down; likely the cables are missing or ports disabled.
A large cloud provider is building a new data center using Cisco ACI with multiple leaf and spine switches. They plan to host thousands of tenants with overlapping IP addresses in different VRFs. The network team has deployed the fabric with a common security policy. During testing, they discover that traffic from Tenant A to Tenant B is being allowed even though a contract should deny it. The APIC policy shows the contract is applied to the EPGs and the deny rule is present. What is the most likely cause of the policy not being enforced?
A
The fabric is using VRF leaking that bypasses contracts.
Why wrong: VRF leaking is not a standard feature and would be deliberate.
B
The contract is not configured with the correct subject.
Why wrong: The subject would affect what traffic is allowed, but the contract exists.
C
The leaf switches have not downloaded the updated policy.
Leaves may have stale policy if not refreshed.
D
The EPGs are in the same bridge domain.
Why wrong: EPGs in same BD still require contracts for inter-EPG traffic.
In a Cisco Application Centric Infrastructure (ACI) fabric, a tenant has two EPGs: Web and App. A contract is created between Web (consumer) and App (provider) with a filter that permits TCP port 8080 (the only port used by the application). However, traffic from App to Web is failing. The application requires bidirectional communication: Web initiates requests to App on TCP 8080, and App responds on the same connection (stateful). The engineer verifies that the filter is correctly applied and that both EPGs are in the same VRF. The contract is applied in the direction Web -> App. What is the most efficient way to resolve this issue without compromising security?
A
Verify that no higher-priority contract is overriding; if not, the issue is elsewhere.
Why wrong: While possible, the most common cause is the unidirectional nature of contracts.
B
Set the contract to 'allow any' between the EPGs to bypass filtering.
Why wrong: This would remove all security, which is not acceptable.
C
Create a second contract from App to Web with the same filter, and apply it to App as consumer and Web as provider.
This adds the reverse direction explicitly, allowing return traffic.
D
Modify the existing filter to allow TCP 8080 from App to Web as well.
Why wrong: Filter direction does not change contract direction; the contract still only applies from Web to App.
A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?
A
role name zone-viewer
feature zone; permit command configure terminal ; zone name etc.
Why wrong: Incorrect syntax; 'feature zone' is not a valid command for role configuration.
B
role name zone-viewer
permit command show zone*; permit command show zoneset*
Permits show commands for zone and zoneset, denying configuration commands by default.
C
role name zone-viewer
rule 1 permit read-write; feature zone
Why wrong: This uses rule-based syntax not applicable to MDS; also read-write would allow changes.
D
role name zone-viewer
permit command zone; permit command zoneset; permit command zone-create
Why wrong: These commands are for configuration, which would allow modification.
A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?
A
The contract direction is reversed: the provider should be the destination of the traffic. Since web_epg initiates to db_epg, web_epg should be the provider.
In ACI, the provider offers a service; the consumer initiates. Here web_epg initiates, so web_epg should be provider.
B
The VRF is not correctly associated with the EPGs.
Why wrong: EPGs are in the same VRF, so routing is fine.
C
A Layer 3 Outside (L3Out) is required for communication between EPGs in the same VRF.
Why wrong: L3Out is for external connectivity, not internal EPG communication.
D
The filter 'mysql' does not match TCP port 3306.
Why wrong: The filter likely matches 3306, given it's named mysql.
These 350-601 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-601 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.