- A
The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions.
Traffic from Gi0/0 to Gi0/1 is filtered inbound on Gi0/0 and outbound on Gi0/1, potentially blocking non-matching traffic.
- B
The ACL is missing a 'permit ip any any' statement, so all traffic is denied.
Why wrong: The explicit deny at the end denies all traffic not permitted, which is intentional for security.
- C
The ACL should be applied only inbound on both interfaces.
Why wrong: Applying outbound is valid, but the combination may cause issues.
- D
The ACL permits ICMP echo and echo-reply, which could allow ping floods.
Why wrong: While possible, this is not the primary issue with placement.
Quick Answer
The potential issue is that the ACL may block traffic needing to pass between the two interfaces because it is applied both inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This creates a double-filtering problem where any packet traversing from G0/0 to G0/1 is checked twice by the same ACL, and since the ACL ends with a deny ip any any, only traffic matching the specific permit statements—ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443—will survive both checks; all other legitimate inter-interface traffic is denied. On the Cisco CCNP ENARSI 300-410 exam, this tests your understanding of ACL placement logic and how directionality affects traffic flow, often appearing as a trick where students assume applying an ACL in both directions adds security without realizing it can break routing between interfaces. A common trap is forgetting that an ACL filters based on source and destination from the perspective of each interface, so a permit that works inbound may not match the reversed flow outbound. Memory tip: “Double direction, double rejection—one ACL, two checks, blocked connection.”
300-410 Device Access Control Practice Question
This 300-410 practice question tests your understanding of device access control. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Consider the following partial configuration:
ip access-list extended SECURE_ACCESS permit icmp any any echo permit icmp any any echo-reply permit tcp any host 192.168.1.1 eq 22 permit tcp any host 192.168.1.1 eq
443
deny ip any any
!
interface GigabitEthernet0/0 ip access-group SECURE_ACCESS in
!
interface GigabitEthernet0/1 ip access-group SECURE_ACCESS out
What is a potential issue with this ACL placement?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions.
The ACL SECURE_ACCESS is applied inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This means traffic entering G0/0 is filtered by the ACL, and traffic exiting G0/1 is also filtered by the same ACL. Since the ACL denies all IP traffic by default (via the 'deny ip any any' at the end), any packet that must traverse from G0/0 to G0/1 will be checked twice: once inbound on G0/0 and again outbound on G0/1. If the packet matches a permit statement on the inbound check, it may still be denied on the outbound check if the source/destination or protocol does not match the permit entries from the perspective of the outbound interface. In this configuration, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; all other traffic is denied. Therefore, legitimate traffic between the two interfaces that does not match these specific permits will be blocked, potentially disrupting connectivity.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions.
Why this is correct
Traffic from Gi0/0 to Gi0/1 is filtered inbound on Gi0/0 and outbound on Gi0/1, potentially blocking non-matching traffic.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
The ACL is missing a 'permit ip any any' statement, so all traffic is denied.
Why it's wrong here
The explicit deny at the end denies all traffic not permitted, which is intentional for security.
- ✗
The ACL should be applied only inbound on both interfaces.
Why it's wrong here
Applying outbound is valid, but the combination may cause issues.
- ✗
The ACL permits ICMP echo and echo-reply, which could allow ping floods.
Why it's wrong here
While possible, this is not the primary issue with placement.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the concept that applying an ACL in both directions (inbound on one interface and outbound on another) can cause unintended filtering of traffic that must pass through the router, leading candidates to overlook the fact that the ACL is evaluated twice and that the permit entries may not cover all necessary flows.
Detailed technical explanation
How to think about this question
When an ACL is applied inbound on one interface and outbound on another, traffic traversing the router is subject to two separate ACL checks: one when it enters the router and another when it exits. Each check evaluates the packet against the ACL rules independently, and the packet must pass both checks to be forwarded. In this scenario, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; any other traffic (e.g., HTTP to a different server, DNS, or even TCP return traffic from 192.168.1.1) will be denied by the implicit deny at the end of the ACL on either the inbound or outbound check. This is a common misconfiguration in Cisco IOS where an ACL is applied in both directions without considering that the same ACL rules may not be symmetric for traffic flowing in opposite directions.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Device Access Control — study guide chapter
Learn the concepts, then practise the questions
- →
Device Access Control practice questions
Targeted practice on this topic area only
- →
All 300-410 questions
2,152 questions across all exam domains
- →
Cisco CCNP ENARSI 300-410 study guide
Full concept coverage aligned to exam objectives
- →
300-410 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 300-410 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Layer 3 Technologies practice questions
Practise 300-410 questions linked to Layer 3 Technologies.
EIGRP Troubleshooting practice questions
Practise 300-410 questions linked to EIGRP Troubleshooting.
OSPF Troubleshooting (v2/v3) practice questions
Practise 300-410 questions linked to OSPF Troubleshooting (v2/v3).
BGP Troubleshooting practice questions
Practise 300-410 questions linked to BGP Troubleshooting.
Route Redistribution practice questions
Practise 300-410 questions linked to Route Redistribution.
Policy-Based Routing (PBR) practice questions
Practise 300-410 questions linked to Policy-Based Routing (PBR).
VRF-Lite practice questions
Practise 300-410 questions linked to VRF-Lite.
Route Maps and Route Filtering practice questions
Practise 300-410 questions linked to Route Maps and Route Filtering.
Administrative Distance practice questions
Practise 300-410 questions linked to Administrative Distance.
Route Summarization practice questions
Practise 300-410 questions linked to Route Summarization.
Bidirectional Forwarding Detection (BFD) practice questions
Practise 300-410 questions linked to Bidirectional Forwarding Detection (BFD).
VPN Technologies practice questions
Practise 300-410 questions linked to VPN Technologies.
Practice this exam
Start a free 300-410 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 300-410 question test?
Device Access Control — This question tests Device Access Control — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions. — The ACL SECURE_ACCESS is applied inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This means traffic entering G0/0 is filtered by the ACL, and traffic exiting G0/1 is also filtered by the same ACL. Since the ACL denies all IP traffic by default (via the 'deny ip any any' at the end), any packet that must traverse from G0/0 to G0/1 will be checked twice: once inbound on G0/0 and again outbound on G0/1. If the packet matches a permit statement on the inbound check, it may still be denied on the outbound check if the source/destination or protocol does not match the permit entries from the perspective of the outbound interface. In this configuration, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; all other traffic is denied. Therefore, legitimate traffic between the two interfaces that does not match these specific permits will be blocked, potentially disrupting connectivity.
What should I do if I get this 300-410 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 24, 2026
This 300-410 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 300-410 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.