Back to Cisco DCCOR / CCNP Data Center Core 350-601 questions

Scenario-based practice

Access Control List (ACL) Scenarios

Practise 350-601 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

15
scenario questions
350-601
exam code
Cisco
vendor

Scenario guide

How to approach access control list (acl) scenarios

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.

Quick answer

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Related practice questions

Related 350-601 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?

Question 2mediummultiple choice
Full question →

An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?

Question 3hardmultiple choice
Full question →

An organization is deploying a new ACI fabric. The design requires that traffic between EPGs in the same bridge domain be allowed by default, but traffic between EPGs in different bridge domains must be denied unless explicitly permitted. Which contract scope configuration meets this requirement?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration:

ip access-list VACL-FILTER
  10 permit ip any any

...

vlan access-map VACL-MAP 10

match ip address VACL-FILTER action forward

vlan filter VACL-MAP vlan-list 10

What is the most likely reason for the connectivity failure?

Question 5mediummultiple choice
Study the full ACL explanation →

A data center engineer configures an ACL on a Nexus 9000 switch to block all traffic from the management network (10.10.0.0/16) to the production servers (192.168.1.0/24) except for SSH access from a specific jump host (10.10.1.100). The ACL is applied inbound on the management interface. Which ACL entry is correctly ordered to achieve this requirement?

Question 6easymultiple choice
Full question →

A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?

Question 7mediummultiple choice
Full question →

A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?

Question 8mediummultiple choice
Study the full ACL explanation →

A network administrator implements the ACL shown. After verifying the ACL statistics, all counters show 0 matches. What is the most likely cause?

Exhibit

Refer to the exhibit.

! Nexus 9000 ACL configuration
ip access-list BLOCK_MGMT
  10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
  20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
  30 permit ip any any

interface Ethernet1/1
  ip access-group BLOCK_MGMT in
  description Management access to servers

! Output of 'show ip access-list BLOCK_MGMT'
IP access list BLOCK_MGMT
    statistics per-entry
    10 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 (0 matches)
    20 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 (0 matches)
    30 permit ip any any (0 matches)
Question 9hardmultiple choice
Open the full VLAN trunking answer →

During a security audit, you discover that a Cisco Nexus 9000 switch is allowing traffic between two ports in the same VLAN despite having a VLAN ACL that should deny it. The VACL is applied correctly, and the ACL entries are properly configured. What is the most likely reason for this behavior?

Question 10mediummultiple choice
Full question →

A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?

Question 11easymultiple choice
Read the full NAT/PAT explanation →

A small business SAN consists of a single Cisco MDS 9148S switch with 16 Gb Fibre Channel ports. The storage array has four active paths to the switch, and four servers each have two HBAs. The administrator wants to ensure that all paths are utilized and that no single point of failure exists. Currently, all devices are in a single VSAN and zoning is permissive (default deny). After powering on all devices, the administrator notices that the storage array only logs in on two of its four ports. The other two ports show 'no light'. The switch has not been configured with any port settings. What is the most likely cause?

Question 12hardmultiple choice
Read the full VRF explanation →

A large cloud provider is building a new data center using Cisco ACI with multiple leaf and spine switches. They plan to host thousands of tenants with overlapping IP addresses in different VRFs. The network team has deployed the fabric with a common security policy. During testing, they discover that traffic from Tenant A to Tenant B is being allowed even though a contract should deny it. The APIC policy shows the contract is applied to the EPGs and the deny rule is present. What is the most likely cause of the policy not being enforced?

Question 13hardmultiple choice
Read the full VRF explanation →

In a Cisco Application Centric Infrastructure (ACI) fabric, a tenant has two EPGs: Web and App. A contract is created between Web (consumer) and App (provider) with a filter that permits TCP port 8080 (the only port used by the application). However, traffic from App to Web is failing. The application requires bidirectional communication: Web initiates requests to App on TCP 8080, and App responds on the same connection (stateful). The engineer verifies that the filter is correctly applied and that both EPGs are in the same VRF. The contract is applied in the direction Web -> App. What is the most efficient way to resolve this issue without compromising security?

Question 14mediummultiple choice
Full question →

A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?

Question 15mediummultiple choice
Open the full VLAN trunking answer →

A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?

These 350-601 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-601 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.