Question 955 of 2,152
Device Access ControlmediumMultiple ChoiceObjective-mapped

Quick Answer

The potential issue is that the ACL may block traffic needing to pass between the two interfaces because it is applied both inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This creates a double-filtering problem where any packet traversing from G0/0 to G0/1 is checked twice by the same ACL, and since the ACL ends with a deny ip any any, only traffic matching the specific permit statements—ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443—will survive both checks; all other legitimate inter-interface traffic is denied. On the Cisco CCNP ENARSI 300-410 exam, this tests your understanding of ACL placement logic and how directionality affects traffic flow, often appearing as a trick where students assume applying an ACL in both directions adds security without realizing it can break routing between interfaces. A common trap is forgetting that an ACL filters based on source and destination from the perspective of each interface, so a permit that works inbound may not match the reversed flow outbound. Memory tip: “Double direction, double rejection—one ACL, two checks, blocked connection.”

300-410 Device Access Control Practice Question

This 300-410 practice question tests your understanding of device access control. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Consider the following partial configuration:

ip access-list extended SECURE_ACCESS
 permit icmp any any echo
 permit icmp any any echo-reply
 permit tcp any host 192.168.1.1 eq 22
 permit tcp any host 192.168.1.1 eq

443

deny ip any any

!

interface GigabitEthernet0/0
 ip access-group SECURE_ACCESS in

!

interface GigabitEthernet0/1
 ip access-group SECURE_ACCESS out

What is a potential issue with this ACL placement?

Question 1mediummultiple choice
Study the full ACL explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions.

The ACL SECURE_ACCESS is applied inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This means traffic entering G0/0 is filtered by the ACL, and traffic exiting G0/1 is also filtered by the same ACL. Since the ACL denies all IP traffic by default (via the 'deny ip any any' at the end), any packet that must traverse from G0/0 to G0/1 will be checked twice: once inbound on G0/0 and again outbound on G0/1. If the packet matches a permit statement on the inbound check, it may still be denied on the outbound check if the source/destination or protocol does not match the permit entries from the perspective of the outbound interface. In this configuration, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; all other traffic is denied. Therefore, legitimate traffic between the two interfaces that does not match these specific permits will be blocked, potentially disrupting connectivity.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions.

    Why this is correct

    Traffic from Gi0/0 to Gi0/1 is filtered inbound on Gi0/0 and outbound on Gi0/1, potentially blocking non-matching traffic.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The ACL is missing a 'permit ip any any' statement, so all traffic is denied.

    Why it's wrong here

    The explicit deny at the end denies all traffic not permitted, which is intentional for security.

  • The ACL should be applied only inbound on both interfaces.

    Why it's wrong here

    Applying outbound is valid, but the combination may cause issues.

  • The ACL permits ICMP echo and echo-reply, which could allow ping floods.

    Why it's wrong here

    While possible, this is not the primary issue with placement.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the concept that applying an ACL in both directions (inbound on one interface and outbound on another) can cause unintended filtering of traffic that must pass through the router, leading candidates to overlook the fact that the ACL is evaluated twice and that the permit entries may not cover all necessary flows.

Detailed technical explanation

How to think about this question

When an ACL is applied inbound on one interface and outbound on another, traffic traversing the router is subject to two separate ACL checks: one when it enters the router and another when it exits. Each check evaluates the packet against the ACL rules independently, and the packet must pass both checks to be forwarded. In this scenario, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; any other traffic (e.g., HTTP to a different server, DNS, or even TCP return traffic from 192.168.1.1) will be denied by the implicit deny at the end of the ACL on either the inbound or outbound check. This is a common misconfiguration in Cisco IOS where an ACL is applied in both directions without considering that the same ACL rules may not be symmetric for traffic flowing in opposite directions.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 300-410 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 300-410 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 300-410 question test?

Device Access Control — This question tests Device Access Control — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The ACL may block traffic that needs to pass between the two interfaces because it is applied in both directions. — The ACL SECURE_ACCESS is applied inbound on GigabitEthernet0/0 and outbound on GigabitEthernet0/1. This means traffic entering G0/0 is filtered by the ACL, and traffic exiting G0/1 is also filtered by the same ACL. Since the ACL denies all IP traffic by default (via the 'deny ip any any' at the end), any packet that must traverse from G0/0 to G0/1 will be checked twice: once inbound on G0/0 and again outbound on G0/1. If the packet matches a permit statement on the inbound check, it may still be denied on the outbound check if the source/destination or protocol does not match the permit entries from the perspective of the outbound interface. In this configuration, the ACL permits only ICMP echo/echo-reply and TCP to 192.168.1.1 on ports 22 and 443; all other traffic is denied. Therefore, legitimate traffic between the two interfaces that does not match these specific permits will be blocked, potentially disrupting connectivity.

What should I do if I get this 300-410 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 300-410 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 300-410 exam.