CCNA IPv4 Access Control Lists Questions

67 questions · IPv4 Access Control Lists · All types, answers revealed

1
Multi-Selectmedium

Which TWO configuration steps are required to apply an IPv4 extended access list to an interface in Cisco IOS? (Choose TWO.)

Select 2 answers
A.Configure the ACL using access-list or ip access-list commands.
B.Apply the ACL to the interface with the ip access-group command.
C.Create the ACL directly under the interface configuration mode.
D.Use the access-class command on the interface.
E.Enable the ACL with the ip inspect command.
AnswersA, B

The ACL must be defined first with permit/deny entries.

Why this answer

Option A is correct because an IPv4 extended ACL must first be defined using either the numbered `access-list` command or the named `ip access-list extended` command before it can be applied. Option B is correct because the `ip access-group` command is the only way to bind a configured ACL to an interface in Cisco IOS, specifying the direction (in or out) and optionally the VLAN filter.

Exam trap

Cisco often tests the distinction between `ip access-group` (for interfaces) and `access-class` (for VTY lines), leading candidates to mistakenly choose `access-class` when the question specifies an interface.

2
MCQhard

A large enterprise network uses EIGRP with route summarization. Router R1 has the following configuration: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.252.0. Router R2 shows: show ip route eigrp includes 10.0.0.0/22 but not 10.0.3.0/24. What is the root cause?

A.The summary address is misconfigured; it should be 10.0.0.0/24.
B.R2 has a route filter blocking 10.0.3.0/24.
C.The EIGRP summary address suppresses more specific routes within its range.
D.R1's interface is down, preventing route advertisement.
AnswerC

EIGRP summary addresses automatically suppress more specific routes, causing the missing /24.

Why this answer

Option C is correct because the EIGRP `ip summary-address` command on R1 creates a summary route (10.0.0.0/22) that is advertised to R2, and by default EIGRP suppresses the advertisement of all more specific routes that fall within the summary range (10.0.0.0/22 includes 10.0.3.0/24). This is the intended behavior of EIGRP route summarization: the summary route replaces the component routes to reduce routing table size and update overhead.

Exam trap

Cisco often tests the misconception that EIGRP summarization simply advertises a summary route in addition to the more specific routes, when in fact the default behavior is to suppress all component routes within the summary range.

How to eliminate wrong answers

Option A is wrong because the summary address 10.0.0.0/22 is correctly configured to cover the range 10.0.0.0–10.0.3.255; changing it to /24 would only cover 10.0.0.0/24 and would not suppress 10.0.3.0/24. Option B is wrong because there is no evidence of a route filter; the absence of 10.0.3.0/24 is a direct result of the summary address suppression, not a filter. Option D is wrong because if R1's interface were down, R2 would not see the 10.0.0.0/22 summary route either, but the output shows 10.0.0.0/22 is present in R2's routing table.

3
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 170 10 permit icmp any any echo (100 matches) 20 permit icmp any any echo-reply (80 matches) 30 deny ip any any (10 matches) Based on this output, which statement is correct?

A.All ICMP traffic is permitted.
B.Only ICMP echo and echo-reply are permitted; all other IP traffic is denied.
C.The ACL permits all IP traffic.
D.The ACL is not applied.
AnswerB

Line 30 denies all other IP traffic, including other ICMP types.

Why this answer

The ACL 170 explicitly permits only ICMP echo (type 8) and echo-reply (type 0) traffic, as shown by the match counters. The final deny ip any any statement blocks all other IP traffic, including other ICMP types and non-ICMP IP protocols. Therefore, only ICMP echo and echo-reply are permitted; all other IP traffic is denied, making option B correct.

Exam trap

Cisco often tests the misconception that an ACL with only two permit statements for specific ICMP types permits all ICMP traffic, but the explicit or implicit deny ip any any at the end blocks all other ICMP types and non-ICMP IP traffic.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all ICMP traffic; it only permits ICMP echo and echo-reply, while other ICMP types (e.g., destination unreachable, time-exceeded) are denied by the final deny ip any any statement. Option C is wrong because the ACL explicitly denies all IP traffic with the last statement, so it does not permit all IP traffic. Option D is wrong because the show ip access-lists output displays match counters (100 and 80 matches), which indicate the ACL is applied to an interface and actively processing traffic; an unapplied ACL would show zero matches.

4
MCQeasy

What is the default behavior of an IPv4 access control list (ACL) when no explicit permit or deny statement matches a packet?

A.The packet is permitted.
B.The packet is denied.
C.The packet is logged and then permitted.
D.The ACL is ignored and the packet is forwarded.
AnswerB

Correct. All ACLs have an implicit deny any at the end.

Why this answer

By default, IPv4 ACLs have an implicit deny any statement at the end. If a packet does not match any explicit permit or deny entry, the implicit deny any is applied, causing the packet to be dropped. This behavior is fundamental to ACL security, ensuring that only explicitly permitted traffic is allowed.

Exam trap

Cisco often tests the misconception that an ACL with no matching entries will permit traffic by default, or that the ACL is simply ignored, when in fact the implicit deny any silently drops all unmatched packets.

How to eliminate wrong answers

Option A is wrong because the default behavior is to deny, not permit; an ACL does not permit unmatched packets. Option C is wrong because logging is not a default action for unmatched packets; logging is only performed if explicitly configured with a log keyword on a permit or deny statement. Option D is wrong because the ACL is never ignored; the implicit deny any is always present and enforced, so unmatched packets are dropped, not forwarded.

5
MCQhard

MPLS network: LDP neighbors are down between R1 and R2. R1 shows: show mpls ldp neighbor includes nothing. R2 has: interface GigabitEthernet0/0, mpls ip, but R1 has no mpls ip on its interface. What is the root cause?

A.R1 and R2 are in different MPLS domains.
B.R1's interface lacks the mpls ip command, preventing LDP hello transmission.
C.LDP router IDs are not reachable.
D.The label distribution protocol is set to TDP instead of LDP.
AnswerB

mpls ip enables LDP on the interface; missing it stops LDP.

Why this answer

The root cause is that R1's interface is missing the 'mpls ip' command. This command is required on each interface to enable MPLS forwarding and to send LDP hello messages (UDP port 646) to neighbors. Without it, R1 cannot discover R2 as an LDP neighbor, so the LDP session never forms, and 'show mpls ldp neighbor' returns nothing on R1.

Exam trap

Cisco often tests the specific requirement of the 'mpls ip' interface command for LDP neighbor discovery, leading candidates to incorrectly focus on reachability or protocol version issues when the problem is a missing interface-level command.

How to eliminate wrong answers

Option A is wrong because MPLS domains are not a standard concept; LDP operates within a single routing domain (e.g., OSPF or IS-IS area), and mismatched domains would not prevent LDP hellos if interfaces are correctly configured. Option C is wrong because LDP router IDs not being reachable would prevent the TCP session from establishing after hellos are exchanged, but here no hellos are sent at all due to the missing 'mpls ip' command. Option D is wrong because TDP is a Cisco proprietary protocol (pre-standard) that is not used in modern IOS; even if TDP were configured, it would still require the 'mpls ip' command on the interface to send TDP hellos.

6
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 150 IP packet debugging is on for access list 150 *Mar 1 00:25:45.678: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto UDP, flags 0x0, sport 12345, dport 53, access list 150: matched line 10 permit udp host 192.168.1.1 host 10.1.1.1 eq 53 *Mar 1 00:25:45.679: IP: s=192.168.1.1 (GigabitEthernet0/0), d=10.1.1.1, len 100, proto TCP, flags 0x2, sport 12346, dport 53, access list 150: matched line 20 permit tcp host 192.168.1.1 host 10.1.1.1 eq 53 What does this output indicate?

A.DNS traffic from 192.168.1.1 to 10.1.1.1 is being permitted by ACL 150.
B.DNS traffic from 192.168.1.1 to 10.1.1.1 is being denied by ACL 150.
C.ACL 150 is applied outbound on GigabitEthernet0/0.
D.ACL 150 has no line 10 or 20.
AnswerA

Both UDP and TCP DNS packets match permit lines.

Why this answer

The debug output shows that packets from source 192.168.1.1 to destination 10.1.1.1 with destination port 53 (DNS) are matching permit statements in ACL 150 (line 10 for UDP and line 20 for TCP). Since the ACL is permitting these packets, DNS traffic is allowed through the interface where the ACL is applied.

Exam trap

Cisco often tests the misconception that 'debug ip packet' output shows only denied packets, but it actually shows all packets that match the ACL, whether permitted or denied, and the 'permit' or 'deny' keyword in the matched line is what determines the action.

How to eliminate wrong answers

Option B is wrong because the debug output explicitly shows 'permit' for both UDP and TCP DNS packets, not 'deny'. Option C is wrong because the debug output does not indicate the direction (inbound or outbound) of the ACL application; it only shows that packets are being matched against ACL 150 on GigabitEthernet0/0, but the direction is not specified. Option D is wrong because the debug output clearly shows 'matched line 10' and 'matched line 20', confirming that lines 10 and 20 exist in ACL 150.

7
MCQhard

An engineer configures an IPsec VPN between two routers using a transform-set with ESP encryption (AES 256) and ESP authentication (SHA-256). The engineer also applies an IPv4 ACL to define interesting traffic that matches all IP traffic. After configuration, the VPN tunnel comes up, but only ICMP traffic is encrypted; other traffic like HTTP is sent in clear text. What is the most likely explanation?

A.The ACL for interesting traffic only permits ICMP, so only ICMP is encrypted.
B.The transform-set does not support HTTP traffic due to port filtering.
C.The IPsec SA is only established for ICMP; other traffic requires a separate SA.
D.The router has a NAT rule that bypasses IPsec for HTTP traffic.
AnswerA

IPsec uses the ACL to determine which traffic to protect; if only ICMP is permitted, other traffic is not encrypted.

Why this answer

The most likely explanation is that the ACL for interesting traffic only permits ICMP, so only ICMP is encrypted. In Cisco IOS, the crypto map uses the ACL to identify which traffic should be protected by IPsec. If the ACL only matches ICMP (e.g., 'permit icmp any any'), then only ICMP packets trigger IPsec encryption; all other traffic, such as HTTP, is forwarded in clear text because it does not match the ACL and is therefore not subject to IPsec processing.

Exam trap

Cisco often tests the misconception that the transform-set or the IPsec SA itself filters traffic by port or protocol, when in reality the ACL is the sole mechanism for defining interesting traffic in a crypto map.

How to eliminate wrong answers

Option B is wrong because transform-sets define encryption and authentication algorithms (e.g., ESP with AES 256 and SHA-256) and do not perform port filtering; they apply to all traffic matched by the ACL. Option C is wrong because IPsec SAs are established per traffic selector (as defined by the ACL), but if the ACL only matches ICMP, only one SA is created for ICMP; other traffic like HTTP would not trigger a separate SA because it is not matched by the ACL. Option D is wrong because while a NAT rule could bypass IPsec, the question states the tunnel comes up and ICMP is encrypted, indicating IPsec is functioning; the most direct and common cause is a restrictive ACL, not a NAT misconfiguration.

8
MCQhard

On a DMVPN Phase 2 hub-and-spoke network, an engineer applies an inbound IPv4 ACL on the tunnel interface of a spoke router to permit only traffic from specific spoke IPs. After the ACL is applied, the spoke cannot establish a direct spoke-to-spoke tunnel with another spoke, even though NHRP resolution succeeds. What is the most likely explanation?

A.The ACL is filtering the outer IP header of the mGRE tunnel, blocking spoke-to-spoke traffic.
B.The ACL is filtering NHRP packets, preventing spoke-to-spoke resolution.
C.The spoke has a misconfigured NHRP authentication key.
D.The ACL is applied outbound, filtering outgoing traffic.
AnswerA

The ACL on the tunnel interface filters the encapsulated packets; if it only permits the hub's IP, traffic from other spokes is denied.

Why this answer

In a DMVPN Phase 2 network, spoke-to-spoke traffic is encapsulated in a new IP header with the destination IP set to the target spoke's public address. When an inbound ACL is applied to the spoke's tunnel interface, it filters traffic after decapsulation, meaning it inspects the inner (original) IP header. However, the ACL is applied on the physical interface or the tunnel interface in a way that inadvertently filters the outer IP header of the mGRE tunnel, blocking the encapsulated spoke-to-spoke packets before they can be processed.

Since NHRP resolution succeeds, the spoke knows the peer's address, but the actual data traffic is dropped because the ACL denies the outer encapsulation.

Exam trap

Cisco often tests the distinction between filtering the outer IP header (physical interface) versus the inner IP header (tunnel interface) in DMVPN, leading candidates to incorrectly assume that an ACL on the tunnel interface always inspects the inner packet, when in fact the ACL placement and direction determine which header is evaluated.

How to eliminate wrong answers

Option B is wrong because NHRP resolution succeeds, indicating that NHRP packets (which use UDP port 1701) are not being filtered by the ACL; if they were, the spoke would not be able to resolve the target spoke's address. Option C is wrong because a misconfigured NHRP authentication key would prevent NHRP registration and resolution entirely, but the question states NHRP resolution succeeds. Option D is wrong because the ACL is explicitly stated as inbound on the tunnel interface; an outbound ACL would affect traffic leaving the spoke, not incoming spoke-to-spoke traffic, and the issue is with receiving traffic from the other spoke.

9
MCQmedium

When using an extended ACL to filter traffic, which fields can be matched? (Choose the most complete answer.)

A.Only source IP address.
B.Source and destination IP addresses, protocol, and port numbers.
C.Source IP address and destination port number only.
D.MAC address and IP address.
AnswerB

Correct. Extended ACLs can match these fields for fine-grained filtering.

Why this answer

Extended ACLs (access control lists) operate at Layer 3 and Layer 4 of the OSI model, allowing matching on source and destination IP addresses, protocol (e.g., TCP, UDP, ICMP), and port numbers. This granularity enables precise traffic filtering beyond the source-only limitation of standard ACLs. Option B correctly lists all these matchable fields, making it the most complete answer.

Exam trap

Cisco often tests the distinction between standard and extended ACLs, trapping candidates who forget that extended ACLs can match protocol and port numbers in addition to source and destination IP addresses, leading them to choose an incomplete option like C or A.

How to eliminate wrong answers

Option A is wrong because it describes a standard ACL, which only matches on source IP address, not the extended ACL's capability. Option C is wrong because it omits destination IP address and protocol, which are essential fields in an extended ACL; extended ACLs can match both source and destination ports, not just destination. Option D is wrong because MAC addresses are Layer 2 fields matched by MAC ACLs or port security, not by extended IP ACLs; extended ACLs do not filter based on MAC addresses.

10
Multi-Selecthard

Which TWO statements about the 'ip access-list resequence' command are true? (Choose TWO.)

Select 2 answers
A.The 'ip access-list resequence' command can be applied to both numbered and named ACLs.
B.The default starting sequence number for the resequence command is 10, and the default increment is 10.
C.The resequence command changes the order in which ACL entries are evaluated.
D.The resequence command is useful when you need to insert a new ACE between two existing entries with consecutive sequence numbers.
E.The resequence command can only be used on extended named ACLs, not standard named ACLs.
AnswersB, D

Correct. By default, the command renumbers starting at 10 with an increment of 10, unless custom values are specified.

Why this answer

Option B is correct because the default starting sequence number for the 'ip access-list resequence' command is 10, and the default increment is also 10. This allows you to renumber the Access Control Entries (ACEs) within an ACL so that you can later insert new entries between existing ones without having to remove and re-add the entire list.

Exam trap

Cisco often tests the misconception that resequencing changes the evaluation order of ACL entries, when in fact it only renumbers the entries without altering their sequence of evaluation.

11
MCQhard

An engineer configures an IPv4 ACL with a deny statement for OSPF protocol (IP protocol 89) on a router's serial interface inbound. OSPF neighbors are established, but routes are not exchanged and the neighbor state remains in EXSTART. What is the most likely explanation?

A.The ACL is blocking OSPF hello packets, preventing the neighbor from reaching FULL state.
B.The MTU on the interface is mismatched with the neighbor, causing DBD packets to be fragmented.
C.The ACL is applied outbound instead of inbound, filtering OSPF updates.
D.The router has a distribute-list in OSPF that is filtering routes.
AnswerA

An ACL denying protocol 89 blocks all OSPF packets, including hellos and DBDs, causing the neighbor to remain in EXSTART as DBD exchange fails.

Why this answer

When an ACL denies OSPF (IP protocol 89) inbound on a serial interface, it blocks all OSPF packets, including Hello packets. Without Hello packets, the neighbor cannot transition from EXSTART to FULL state because the OSPF adjacency process requires Hello exchange for neighbor discovery and maintenance. The EXSTART state indicates that the routers have formed a neighbor relationship but cannot exchange Database Description (DBD) packets, which occurs because the ACL is filtering the Hello packets that are needed to confirm bidirectional communication and proceed to the Exchange state.

Exam trap

Cisco often tests the misconception that an ACL blocking OSPF protocol 89 only affects route updates, when in fact it blocks all OSPF packets including Hello, which prevents the adjacency from reaching FULL state.

How to eliminate wrong answers

Option B is wrong because MTU mismatch causes DBD packets to be silently dropped or rejected, leading to a stuck EXSTART state, but the question specifies that the ACL is the configured issue, and MTU mismatch is not related to ACL filtering. Option C is wrong because if the ACL were applied outbound, it would filter OSPF updates leaving the router, but the neighbor would still receive Hello packets and could reach FULL state; the problem states the ACL is applied inbound, so this is a misdirection. Option D is wrong because a distribute-list filters routes within the OSPF process after adjacency is formed, but it does not prevent the neighbor from reaching FULL state; the neighbor would still exchange Hello and DBD packets and become FULL, but routes would be missing from the routing table.

12
Multi-Selecthard

Which THREE statements about IPv4 access control list sequence numbers are true? (Choose THREE.)

Select 3 answers
A.Sequence numbers allow insertion of new entries between existing ones.
B.Sequence numbers are automatically assigned in increments of 10 for numbered ACLs.
C.Named ACLs support sequence numbers.
D.The ip access-list resequence command can renumber ACL entries.
E.Resequencing an ACL changes the order of evaluation.
AnswersA, C, D

You can specify a sequence number to place an entry at a specific position in the ACL.

Why this answer

Sequence numbers in IPv4 ACLs allow administrators to insert new entries between existing ones without deleting and re-entering the entire ACL. This is because each entry is assigned a unique sequence number, and new entries can be added with a sequence number that falls between two existing numbers, enabling granular control over the order of evaluation.

Exam trap

Cisco often tests the misconception that resequencing an ACL changes the order of evaluation, but in reality, it only renumbers the entries while preserving their original sequence; the trap is confusing sequence number reassignment with rule reordering.

13
MCQhard

What is the maximum number of entries that can be configured in a single IPv4 ACL in Cisco IOS?

A.1000
B.500
C.Unlimited
D.256
AnswerA

Cisco IOS generally supports up to 1000 ACEs per ACL, though hardware limits may be lower.

Why this answer

Cisco IOS limits a single IPv4 ACL to a maximum of 1000 entries (ACE lines) to prevent performance degradation and excessive memory consumption on the router. This hard limit applies to both standard and extended numbered ACLs, as well as named ACLs, and is enforced by the software to ensure predictable forwarding behavior.

Exam trap

Cisco often tests the 1000-entry limit to catch candidates who assume ACLs are unlimited or who confuse the limit with the 256-entry limit common on older Catalyst switch ACLs.

How to eliminate wrong answers

Option B is wrong because 500 is not the maximum; it is a common misconception that the limit is lower, but Cisco documentation explicitly states 1000 as the cap. Option C is wrong because ACL entries are not unlimited; a finite limit exists to protect router CPU and memory resources, and attempting to exceed 1000 entries results in a configuration rejection. Option D is wrong because 256 is the maximum number of entries for an older or platform-specific ACL (e.g., some Catalyst switches), but for general Cisco IOS routers, the limit is 1000.

14
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (12 matches) 20 deny tcp any any eq 443 (5 matches) 30 permit ip any any (100 matches) What does this output indicate?

A.The ACL is permitting TCP traffic from 192.168.1.0/24 to any destination on port 80, denying all TCP traffic to port 443, and permitting all other IP traffic.
B.The ACL is denying all traffic because line 20 is an explicit deny.
C.The ACL is applied inbound on an interface and is blocking all traffic to port 443.
D.The ACL has no effect because the match counts are too low.
AnswerA

The ACL lines and match counts confirm this behavior.

Why this answer

Option A is correct because the ACL explicitly permits TCP traffic from source 192.168.1.0/24 to any destination on port 80 (line 10), denies TCP traffic from any source to any destination on port 443 (line 20), and then permits all other IP traffic (line 30). The match counts confirm that traffic matching each line has been processed, and the implicit deny at the end is never reached because line 30 permits everything else.

Exam trap

Cisco often tests the misconception that an explicit deny statement (like line 20) blocks all traffic, when in fact it only blocks the specific protocol and port, and subsequent permit entries can still allow other traffic.

How to eliminate wrong answers

Option B is wrong because line 20 is an explicit deny for TCP port 443 only, not an implicit deny at the end of the ACL; the ACL continues to line 30 which permits all other IP traffic, so it does not deny all traffic. Option C is wrong because the output does not indicate the direction (inbound or outbound) or the interface where the ACL is applied; the show ip access-lists command only displays the ACL contents and match counters, not its application point. Option D is wrong because match counts are not required to be high for an ACL to have effect; even low counts indicate that traffic has matched, and the ACL is actively filtering based on its entries.

15
MCQeasy

By default in Cisco IOS-XE, what is the behavior of an IPv4 ACL when no entries match and the ACL is applied to an inbound interface?

A.The packet is permitted.
B.The packet is denied.
C.The packet is forwarded based on routing table lookup.
D.The ACL logs the packet and continues.
AnswerB

The implicit deny all at the end of every IPv4 ACL denies unmatched traffic.

Why this answer

By default, Cisco IOS-XE applies an implicit 'deny any' statement at the end of every IPv4 ACL. If no entries match the packet, the implicit deny triggers, and the packet is dropped. This behavior is consistent for ACLs applied to inbound interfaces, ensuring that only explicitly permitted traffic is allowed.

Exam trap

Cisco often tests the implicit deny any behavior by presenting scenarios where an ACL has no matching entries, leading candidates to mistakenly think the packet is permitted or forwarded based on routing.

How to eliminate wrong answers

Option A is wrong because the implicit deny any statement at the end of an ACL causes unmatched packets to be dropped, not permitted. Option C is wrong because ACLs operate independently of the routing table; a packet that is denied by an ACL is discarded before any routing decision is made. Option D is wrong because logging is not enabled by default; it requires the explicit 'log' keyword on an ACL entry, and even then, the packet is still subject to the implicit deny if no match occurs.

16
MCQhard

A network redistributes OSPF into EIGRP. Router R1 has: redistribute ospf 1 metric 10000 100 255 1 1500. Router R2 shows: show ip route eigrp includes some OSPF routes but not 192.168.1.0/24. What is the root cause?

A.The OSPF route 192.168.1.0/24 is not in the OSPF database.
B.The EIGRP metric components are misordered; delay should be 100, not 10000.
C.The high delay metric (10000) may cause the route to be suppressed by EIGRP's feasibility condition.
D.Redistribution requires a route-map to filter specific routes.
AnswerC

EIGRP uses composite metric; high delay can make the route less feasible, preventing installation.

Why this answer

C is correct because EIGRP uses a feasibility condition to prevent routing loops, which requires that the reported distance (RD) from a neighbor be strictly less than the feasible distance (FD). The redistribute command sets the EIGRP metric components in the order bandwidth, delay, reliability, load, MTU. Here, the delay is set to 10000 tens of microseconds, which is extremely high (100,000 microseconds).

This high delay inflates the composite metric, making the FD very large. When this route is advertised to an EIGRP neighbor, the neighbor's RD may equal or exceed its own FD for that route, violating the feasibility condition and causing the route to be suppressed from the routing table.

Exam trap

Cisco often tests the EIGRP feasibility condition by hiding it behind a metric misconfiguration—candidates mistakenly think the metric values are simply wrong or misordered, when the real issue is that the high delay causes the route to be suppressed by EIGRP's loop-prevention mechanism.

How to eliminate wrong answers

Option A is wrong because the question states that 'show ip route eigrp includes some OSPF routes but not 192.168.1.0/24', implying that the route is present in the OSPF database and is being redistributed, but it is not appearing in the EIGRP topology table or routing table due to a metric or feasibility issue. Option B is wrong because the EIGRP metric components in the 'redistribute ospf 1 metric' command are correctly ordered as bandwidth (kbps), delay (tens of microseconds), reliability, load, MTU; the delay value of 10000 is valid and not misordered—the issue is that this value is too high, not that it is in the wrong position. Option D is wrong because redistribution into EIGRP does not require a route-map to filter specific routes; a route-map is optional and used for policy-based control, but the absence of a route-map does not prevent a redistributed route from appearing in the EIGRP table if the metric is valid and the feasibility condition is met.

17
Drag & Drophard

Drag and drop the steps to troubleshoot IPv4 ACL adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by confirming the ACL is applied to the correct interface and direction; then check for implicit deny blocking traffic; verify sequence numbers and order; examine log entries for hits; finally, adjust ACL by inserting a permit statement before the deny.

18
Multi-Selecthard

Which TWO statements about the 'log' keyword in IPv4 ACL entries are correct? (Choose TWO.)

Select 2 answers
A.The 'log' keyword causes the router to generate a syslog message for every packet that matches the ACE.
B.The log message includes the source and destination IP addresses and the protocol.
C.The 'log' keyword can be used with both permit and deny ACEs.
D.The 'log' keyword is only available in extended ACLs, not standard ACLs.
E.Using the 'log' keyword significantly improves router performance by offloading logging to the CPU.
AnswersB, C

Correct. The log entry typically shows the source IP, destination IP, protocol (e.g., TCP), and the interface where the match occurred.

Why this answer

Option B is correct because when the 'log' keyword is configured on an ACL entry, the router generates a syslog message that includes the source and destination IP addresses, the protocol (e.g., TCP, UDP, ICMP), and for TCP/UDP, the source and destination port numbers. This logging provides essential information for troubleshooting and security monitoring.

Exam trap

Cisco often tests the misconception that the 'log' keyword logs every packet, when in fact it uses rate-limiting to avoid overwhelming the router's CPU.

19
Multi-Selecthard

Which TWO statements about the 'ip access-group' command and its interaction with ACLs are correct? (Choose TWO.)

Select 3 answers
A.An inbound ACL processes packets after the routing decision is made.
B.An outbound ACL processes packets before they leave the interface, after the routing decision.
C.The ACL referenced in the 'ip access-group' command must already exist in the configuration.
D.The 'ip access-group' command can be applied to a Layer 2 switchport to filter IPv4 traffic.
E.The 'ip access-group' command can be applied to a VLAN interface (SVI) to filter traffic routed into or out of that VLAN.
AnswersB, C, E

Correct. Outbound ACLs are applied after the router determines the outgoing interface and before the packet is transmitted.

Why this answer

Option B is correct because an outbound ACL processes packets after the routing decision has been made and just before the packet exits the interface. This ensures that the router first determines the outgoing interface and next hop via its routing table, then applies the ACL to filter traffic based on the destination address and other criteria before forwarding.

Exam trap

Cisco often tests the misconception that an outbound ACL processes packets before routing, when in fact it processes after the routing decision, while an inbound ACL processes before routing.

20
MCQmedium

Consider the following partial configuration on router R1: ``` interface GigabitEthernet0/1 ip access-group MY_ACL in ! ip access-list extended MY_ACL permit tcp 10.1.1.0 0.0.0.255 any eq 80 permit icmp any any echo deny ip any any ``` What is the effect of this ACL when applied inbound on GigabitEthernet0/1?

A.It permits HTTP requests from 10.1.1.0/24 and ICMP Echo requests from any source; all other IP traffic is denied.
B.It permits HTTP requests from 10.1.1.0/24 and all ICMP traffic; all other IP traffic is denied.
C.It permits HTTP requests from any source to 10.1.1.0/24 and ICMP Echo requests; all other traffic is denied.
D.It permits HTTP requests from 10.1.1.0/24 and ICMP Echo replies; all other IP traffic is denied.
AnswerA

Correct. The ACL permits the specified traffic and denies all other IP traffic.

Why this answer

The ACL is applied inbound on GigabitEthernet0/1. The first permit statement allows TCP traffic from source network 10.1.1.0/24 to any destination on port 80 (HTTP). The second permit statement allows ICMP Echo requests (type 8) from any source.

The final deny statement blocks all other IP traffic. Therefore, only HTTP requests from 10.1.1.0/24 and ICMP Echo requests from any source are permitted; all other IP traffic is denied.

Exam trap

Cisco often tests the distinction between ICMP Echo request and Echo reply, and the trap here is that the 'echo' keyword in an ACL permits only Echo requests, not all ICMP traffic or Echo replies.

How to eliminate wrong answers

Option B is wrong because it states 'all ICMP traffic' is permitted, but the ACL only permits ICMP Echo requests (type 8), not other ICMP types like Echo replies (type 0) or destination unreachable. Option C is wrong because it reverses the source and destination for HTTP traffic; the ACL permits HTTP from 10.1.1.0/24 to any, not from any to 10.1.1.0/24. Option D is wrong because it specifies ICMP Echo replies, but the ACL permits ICMP Echo requests (the 'echo' keyword in Cisco ACLs matches Echo requests, not replies).

21
Multi-Selectmedium

Which TWO statements about IPv4 extended access control lists are true? (Choose TWO.)

Select 2 answers
A.They can filter based on source and destination IP addresses.
B.They are typically placed as close to the source as possible.
C.They use a wildcard mask only for the destination address.
D.They can be named using numbers only.
E.They automatically log all matched packets.
AnswersA, B

Extended ACLs can specify both source and destination addresses in the permit/deny statement.

Why this answer

Option A is correct because IPv4 extended ACLs can filter traffic based on both source and destination IP addresses, as well as protocol type, port numbers, and other parameters. This is defined in the access-list command syntax (e.g., access-list 100 permit tcp 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 eq 80), which allows granular control beyond standard ACLs that only filter on source IP.

Exam trap

Cisco often tests the misconception that extended ACLs can only be numbered, but they support named ACLs as well, and that wildcard masks apply only to one address field, whereas they apply to both source and destination.

22
MCQhard

EIGRP network is experiencing stuck-in-active (SIA) routes. Router R1 shows: show ip eigrp topology active includes 10.0.0.0/24. Router R2 has: interface GigabitEthernet0/0, ip summary-address eigrp 100 10.0.0.0 255.255.255.0. What is the root cause?

A.The summary address on R2 is causing a query for the specific route to be suppressed.
B.R1 has a stuck interface causing the SIA.
C.EIGRP is misconfigured with wrong autonomous system number.
D.The route 10.0.0.0/24 is flapping, causing continuous queries.
AnswerA

Summary addresses can cause queries to be aggregated, leading to SIA if replies are not received.

Why this answer

The correct answer is A because the summary address configured on R2 (ip summary-address eigrp 100 10.0.0.0 255.255.255.0) causes R2 to advertise a single summary route (10.0.0.0/24) to R1. When R1 loses its route to 10.0.0.0/24 and sends a query for the specific prefix, R2 does not reply because the summary address suppresses the query for the more specific route, leaving R1 stuck-in-active (SIA) waiting for a reply that never comes.

Exam trap

Cisco often tests the subtle interaction between EIGRP summary addresses and query suppression, where candidates mistakenly think SIA is caused by flapping or interface issues, rather than understanding that a summary address on a downstream router can prevent query replies for more specific prefixes.

How to eliminate wrong answers

Option B is wrong because a stuck interface would cause neighbor loss or interface errors, not a query suppression scenario; SIA is caused by unacknowledged queries, not interface state. Option C is wrong because if the autonomous system numbers were mismatched, the EIGRP neighbors would not form at all, and the show ip eigrp topology active command would not show the route. Option D is wrong because route flapping triggers continuous updates and queries, but the root cause here is the summary address suppressing the query reply, not instability of the route itself.

23
MCQhard

An engineer configures an IPv4 ACL on a router's interface to permit only HTTP traffic (TCP port 80) from a specific subnet. The ACL is applied inbound. After applying, the router's web interface (HTTPS) becomes unreachable from the same subnet. What is the most likely explanation?

A.The ACL denies HTTPS traffic because it is not explicitly permitted.
B.The ACL is applied outbound, filtering traffic to the web server.
C.The router's web server uses HTTP, not HTTPS.
D.The ACL is blocking TCP port 80 due to a typo.
AnswerA

The ACL only permits HTTP; HTTPS (port 443) is denied by the implicit deny, blocking management access.

Why this answer

The ACL is applied inbound on the router interface and only permits TCP port 80 (HTTP). HTTPS uses TCP port 443, which is not explicitly permitted. Since IPv4 ACLs end with an implicit deny any, all traffic not matching a permit statement, including HTTPS, is denied.

This causes the router's web interface (HTTPS) to become unreachable from the subnet.

Exam trap

Cisco often tests the implicit deny any behavior of ACLs and the fact that management protocols (like HTTPS, SSH, SNMP) use different ports than the permitted traffic, causing candidates to overlook the need to explicitly permit those ports.

How to eliminate wrong answers

Option B is wrong because the ACL is explicitly stated as applied inbound, not outbound; an outbound ACL would filter traffic leaving the interface, not traffic entering from the subnet. Option C is wrong because the router's web interface is accessed via HTTPS (TCP 443), not HTTP (TCP 80), and the question confirms it is HTTPS. Option D is wrong because the issue is not a typo on port 80; the ACL correctly permits HTTP, but HTTPS is blocked by the implicit deny, not by a misconfiguration of the permit statement.

24
Multi-Selectmedium

Which TWO commands verify the application and content of an IPv4 access control list on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip interface
B.show access-lists
C.show running-config | include access-list
D.show ip route
E.debug ip packet
AnswersA, B

This command shows which ACLs are applied inbound/outbound on each interface.

Why this answer

The 'show ip interface' command displays the access lists applied to an interface, including the direction (inbound/outbound) and the specific ACL name or number. The 'show access-lists' command shows the detailed content of all ACLs, including the exact permit/deny statements, sequence numbers, and hit counts, verifying both the application and the rules.

Exam trap

Cisco often tests the distinction between commands that verify ACL application (show ip interface) versus content (show access-lists), and candidates mistakenly choose 'show running-config | include access-list' thinking it shows both, but it only shows the configuration lines without interface binding or hit counts.

25
MCQmedium

Consider this configuration on router R2: ``` interface GigabitEthernet0/0 ip access-group RESTRICT_ACCESS in ! ip access-list extended RESTRICT_ACCESS permit ip 10.0.0.0 0.255.255.255 any deny ip any any ``` What traffic will be permitted inbound on GigabitEthernet0/0?

A.Only traffic from source 10.0.0.0/24.
B.All traffic from the 10.0.0.0/8 network.
C.All traffic from any source.
D.Only traffic from source 10.0.0.0/16.
AnswerB

Correct. The wildcard mask 0.255.255.255 matches the 10.0.0.0/8 range.

Why this answer

The access list RESTRICT_ACCESS uses a wildcard mask of 0.255.255.255, which matches the first octet exactly and ignores the remaining three octets. This effectively permits all traffic from the 10.0.0.0/8 network (10.0.0.0 through 10.255.255.255). The explicit deny ip any any at the end blocks all other traffic, so only traffic sourced from the 10.0.0.0/8 range is permitted inbound on GigabitEthernet0/0.

Exam trap

Cisco often tests the distinction between prefix length and wildcard mask, leading candidates to misinterpret 0.255.255.255 as a /24 or /16 mask instead of the correct /8 range.

How to eliminate wrong answers

Option A is wrong because a wildcard mask of 0.255.255.255 matches the entire /8 range, not just the /24 subnet (which would require a wildcard mask of 0.0.0.255). Option C is wrong because the access list ends with a deny ip any any statement, which blocks all traffic not explicitly permitted by earlier entries. Option D is wrong because a /16 prefix would require a wildcard mask of 0.0.255.255, not 0.255.255.255; the given mask matches the full /8 range.

26
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 101 Inbound access list is not set Based on this output, which statement is correct?

A.ACL 101 filters traffic entering the interface.
B.ACL 101 filters traffic leaving the interface.
C.The interface has no ACL applied.
D.ACL 101 is applied in both directions.
AnswerB

The output shows 'Outgoing access list is 101', so traffic exiting is filtered.

Why this answer

The command output shows 'Outgoing access list is 101', which indicates that ACL 101 is applied to filter traffic leaving the GigabitEthernet0/1 interface. This is confirmed by the absence of an 'Inbound access list' entry, meaning no ACL is applied to incoming traffic. Therefore, ACL 101 filters traffic leaving the interface.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application by showing only one direction in the output, leading candidates to assume no ACL is applied or that it applies to both directions.

How to eliminate wrong answers

Option A is wrong because the output shows 'Inbound access list is not set', meaning ACL 101 is not applied to incoming traffic; it is applied to outgoing traffic. Option C is wrong because the output explicitly shows 'Outgoing access list is 101', indicating an ACL is applied. Option D is wrong because the output shows ACL 101 is only applied to outgoing traffic, not inbound, so it is not applied in both directions.

27
MCQeasy

Which statement is true about the implicit deny any at the end of an IPv4 ACL?

A.It can be overridden by adding a permit any at the end.
B.It is invisible and applies only to TCP traffic.
C.It is always present and cannot be removed or overridden.
D.It denies all traffic not explicitly permitted and is always present.
AnswerD

The implicit deny any is a fundamental property of Cisco ACLs.

Why this answer

Option D is correct because every IPv4 ACL has an implicit deny any statement at the end that denies all traffic not explicitly permitted by earlier entries. This implicit rule is always present and cannot be removed, ensuring that only traffic matching a permit entry is allowed through the ACL.

Exam trap

Cisco often tests the misconception that the implicit deny any can be removed or that it only applies to specific protocols, when in fact it is a permanent, protocol-agnostic rule that denies all unmatched traffic.

How to eliminate wrong answers

Option A is wrong because the implicit deny any cannot be overridden; adding a permit any at the end explicitly permits all traffic, effectively negating the implicit deny, but the implicit rule itself remains in the ACL logic. Option B is wrong because the implicit deny any applies to all IP traffic, not just TCP; it covers UDP, ICMP, and any other IP protocol. Option C is wrong because while the implicit deny any is always present and cannot be removed, it can be overridden by a permit any statement placed before it in the ACL; the statement 'cannot be overridden' is incorrect.

28
Multi-Selecthard

Which THREE symptoms indicate that an IPv4 access control list may be misconfigured or not applied correctly? (Choose THREE.)

Select 3 answers
A.Traffic that should be permitted is being blocked.
B.The interface is flapping up and down.
C.High CPU utilization on the router due to ACL processing.
D.ACL hit counts are not incrementing for expected traffic.
E.Routing protocol neighbors are dropping.
AnswersA, C, D

This indicates the ACL may have an incorrect deny statement or order.

Why this answer

Option A is correct because a primary symptom of a misconfigured or incorrectly applied ACL is that it blocks traffic that should be permitted. This typically occurs when the ACL's sequence of permit and deny statements does not match the intended policy, or when the ACL is applied in the wrong direction (inbound vs. outbound) on an interface. The router processes ACL entries sequentially, so a deny statement placed before a permit statement for the same traffic will cause legitimate packets to be dropped.

Exam trap

Cisco often tests the distinction between direct symptoms of ACL misconfiguration (blocking permitted traffic, no hit counts, high CPU) and indirect or unrelated issues (interface flapping, neighbor drops) that candidates might incorrectly associate with ACLs due to a superficial understanding of ACL behavior.

29
MCQmedium

In a standard IPv4 ACL, what is the default wildcard mask if none is explicitly configured?

A.0.0.0.0 (host match)
B.255.255.255.255 (any match)
C.The mask is mandatory; configuration is rejected without it.
D.The mask is derived from the source address class.
AnswerA

When no wildcard mask is given, the router assumes a host match.

Why this answer

In a standard IPv4 ACL, if no wildcard mask is explicitly configured, the default wildcard mask is 0.0.0.0, which means the ACL matches only the exact source IP address (a host match). This is because the access-list command treats the source address as a host address when no mask is provided, effectively applying a host wildcard mask.

Exam trap

Cisco often tests the misconception that a missing wildcard mask defaults to 'any' (255.255.255.255) or that the mask is mandatory, when in fact the default is a host match (0.0.0.0).

How to eliminate wrong answers

Option B is wrong because 255.255.255.255 (any match) is not the default; it would match all source addresses, which is not the behavior when no mask is given. Option C is wrong because the mask is not mandatory; Cisco IOS accepts the command without a wildcard mask and defaults to 0.0.0.0. Option D is wrong because the mask is not derived from the source address class; ACLs do not use classful behavior, and the default is always 0.0.0.0 regardless of the address class.

30
MCQhard

An engineer configures an EIGRP named mode with an offset-list applied to the delay metric on a serial interface. The offset-list increases the delay by 1000 microseconds. However, the feasible distance (FD) updates correctly, but the advertised distance (AD) does not change. What is the most likely explanation?

A.The offset-list only modifies the FD on the local router, not the AD received from the neighbor.
B.The offset-list is applied to the wrong interface; it should be applied to the neighbor's interface.
C.The named mode EIGRP does not support offset-lists; only classic mode does.
D.The offset-list is configured with the wrong direction; it should be inbound.
AnswerA

Offset-list adjusts the delay locally for the FD, but the AD is the neighbor's reported metric and is not altered by the local offset-list.

Why this answer

The offset-list in EIGRP modifies the composite metric (feasible distance) on the local router by adding delay to the interface where it is applied. However, the advertised distance (AD) is the metric that the neighbor reports for a route; it is received in EIGRP update packets and is not altered by the local router's offset-list. Therefore, only the FD changes, while the AD remains unchanged because it is a value learned from the neighbor.

Exam trap

Cisco often tests the distinction between advertised distance and feasible distance, and the trap here is that candidates assume an offset-list applied to an interface will affect both the local metric and the metric reported to neighbors, when in fact it only affects the local FD calculation.

How to eliminate wrong answers

Option B is wrong because the offset-list is applied to the local router's interface to influence the local metric calculation; applying it to the neighbor's interface would not change the AD received from that neighbor. Option C is wrong because named mode EIGRP fully supports offset-lists; they are configured under the address-family section using the 'offset-list' command. Option D is wrong because the offset-list direction (inbound or outbound) controls which routes are affected, not whether the AD or FD is modified; even with inbound direction, the offset-list still only modifies the local FD, not the AD received from the neighbor.

31
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 180 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (50 matches) 20 permit tcp 192.168.2.0 0.0.0.255 any eq 443 (30 matches) 30 deny ip any any (5 matches) Based on this output, what is the problem?

A.Traffic from 192.168.1.0/24 to port 80 is permitted.
B.Traffic from 192.168.2.0/24 to port 443 is denied.
C.All traffic from 192.168.1.0/24 is permitted.
D.The ACL is correctly configured to allow only specific web traffic.
AnswerA

Line 10 permits that traffic with 50 matches.

Why this answer

Option A is correct because the ACL explicitly permits TCP traffic from the 192.168.1.0/24 network to any destination on port 80, as shown by the first entry with 50 matches. The output confirms that this traffic is being allowed, so there is no problem with that specific rule.

Exam trap

Cisco often tests the ability to interpret ACL match counters and recognize that a working ACL with expected matches does not indicate a problem, leading candidates to incorrectly assume a misconfiguration when none exists.

How to eliminate wrong answers

Option B is wrong because the ACL permits TCP traffic from 192.168.2.0/24 to any destination on port 443, as shown by the second entry with 30 matches, so it is not denied. Option C is wrong because the ACL does not permit all traffic from 192.168.1.0/24; it only permits TCP traffic to port 80, and any other traffic from that subnet would be denied by the implicit deny all at the end of the ACL (or the explicit deny ip any any entry). Option D is wrong because the ACL is not correctly configured to allow only specific web traffic; it permits HTTP (port 80) and HTTPS (port 443) but also includes an explicit deny ip any any, which is redundant and does not cause a problem, but the question asks for the problem, and there is no problem with the configuration as shown—the ACL is functioning as designed.

32
MCQeasy

In a standard IPv4 ACL, what is the range of valid numbers for the access-list number?

A.1-99 and 1300-1999
B.100-199 and 2000-2699
C.1-99 only
D.1-199
AnswerA

Correct. These are the standard ACL number ranges.

Why this answer

Standard IPv4 ACLs use access-list numbers 1-99 and 1300-1999 to filter traffic based solely on source IP address. The expanded range 1300-1999 was introduced to provide additional standard ACL identifiers beyond the original 1-99, allowing more granular control without overlapping with extended ACL ranges.

Exam trap

Cisco often tests the expanded standard ACL range (1300-1999) to catch candidates who only memorize the original 1-99 range, assuming standard ACLs are limited to that smaller set.

How to eliminate wrong answers

Option B is wrong because 100-199 and 2000-2699 are the valid ranges for extended IPv4 ACLs, not standard ACLs. Option C is wrong because it omits the expanded standard ACL range 1300-1999, which is also valid per Cisco IOS. Option D is wrong because 100-199 is reserved for extended ACLs, and standard ACLs do not include numbers 100-199.

33
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 130 Extended IP access list 130 10 deny ip host 10.1.1.1 host 10.2.2.2 20 permit ip any any Then the engineer runs: R1# debug ip packet 130 IP packet debugging is on for access list 130 *Mar 1 00:20:10.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto ICMP, access list 130: matched line 10 deny ip host 10.1.1.1 host 10.2.2.2 What does this output indicate?

A.ICMP traffic from 10.1.1.1 to 10.2.2.2 is being denied by ACL 130.
B.ICMP traffic from 10.1.1.1 to 10.2.2.2 is being permitted by ACL 130.
C.ACL 130 is applied outbound on GigabitEthernet0/0.
D.ACL 130 is not matching any packets.
AnswerA

The debug shows the match on the deny line.

Why this answer

The debug output explicitly shows that the packet with source 10.1.1.1 and destination 10.2.2.2 matched line 10 of ACL 130, which is a deny statement. Since the ACL is evaluated sequentially and the first match is a deny, the ICMP traffic is denied. The debug message confirms the match, so option A is correct.

Exam trap

Cisco often tests the misconception that a debug message showing a packet matched an ACL line implies the packet was permitted, when in fact the action (deny or permit) is determined by the matched line's action.

How to eliminate wrong answers

Option B is wrong because the debug output shows the packet matched line 10 (deny), not line 20 (permit), so the traffic is denied, not permitted. Option C is wrong because the debug output does not indicate the direction (inbound or outbound) of the ACL application; the interface shown (GigabitEthernet0/0) is the source interface of the packet, not where the ACL is applied. Option D is wrong because the debug output explicitly states 'matched line 10', proving that ACL 130 is matching packets.

34
MCQhard

BGP is used between two ISPs. Router R1 has: neighbor 10.0.0.2 route-map SET-MED in, route-map SET-MED permit 10, set metric 50. Router R2 shows: show ip bgp 172.16.0.0 includes MED 50 but the path is not preferred. What is the root cause?

A.The MED value is too low to influence path selection.
B.The route-map should be applied outbound, not inbound.
C.MED is only compared when paths are from the same neighboring AS.
D.The neighbor has a higher local preference overriding MED.
AnswerC

BGP default behavior ignores MED from different ASes.

Why this answer

Option C is correct because BGP's MED (Multi-Exit Discriminator) attribute is only compared between paths that originate from the same neighboring AS. In this scenario, even though R2 receives a route with MED 50 from R1, the path is not preferred because the competing path likely comes from a different neighboring AS, making the MED comparison invalid. MED is a non-transitive attribute that influences inbound traffic only when comparing multiple exit points from the same AS.

Exam trap

Cisco often tests the nuance that MED is only compared between paths from the same neighboring AS, leading candidates to mistakenly think MED always influences path selection or that the value itself is the issue.

How to eliminate wrong answers

Option A is wrong because a MED value of 50 is not inherently too low; MED is a metric where lower values are preferred, so a low MED would actually make the path more preferred, not less. Option B is wrong because applying the route-map inbound on R1 correctly sets the MED on routes received from R2; applying it outbound would affect routes sent to R2, which is not the intended behavior for influencing R2's path selection. Option D is wrong because while local preference does override MED in BGP path selection order, the question states the MED is 50 but the path is not preferred, and there is no evidence that local preference is configured or higher; the most direct root cause is the AS path comparison rule for MED.

35
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface connected to a customer network. The customer has a default route pointing to the router. After enabling uRPF, the router drops traffic from the customer that has a source IP address that is not in the routing table as a directly connected or static route. What is the most likely explanation?

A.Strict mode uRPF requires a specific route for the source IP; a default route is not sufficient.
B.The customer's default route causes asymmetric routing, which breaks strict mode.
C.The uRPF mode should be loose mode to allow the default route.
D.The router has an ACL that is blocking the traffic before uRPF checks.
AnswerA

Strict mode checks for a matching route with the same incoming interface; a default route does not provide a specific interface match.

Why this answer

Strict mode uRPF verifies that the source IP address of an incoming packet matches a specific route in the routing table, and that the interface used to reach that source IP is the same as the incoming interface. A default route (0.0.0.0/0) is a catch-all entry and does not provide a specific, directly connected or static route for the customer's source IP. Therefore, the router drops the traffic because it cannot find an exact match for the source IP in the routing table, which is a fundamental requirement of strict mode.

Exam trap

Cisco often tests the misconception that a default route satisfies strict mode uRPF requirements, but the trap is that strict mode demands a specific route (not a default) for the source IP, and the incoming interface must match the route's outgoing interface.

How to eliminate wrong answers

Option B is wrong because asymmetric routing is not the core issue; strict mode uRPF drops packets even with symmetric routing if the source IP lacks a specific route. Option C is wrong because loose mode uRPF only checks that a route exists for the source IP in the routing table (including a default route), but it does not require the incoming interface to match; however, the question describes strict mode behavior, not a need to switch modes. Option D is wrong because the problem is explicitly caused by uRPF strict mode, not by an ACL; ACLs are processed after uRPF checks, so they would not be the reason for the drops described.

36
MCQmedium

A network engineer runs the following command on Router R1: R1# show access-lists Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (10 matches) 20 deny tcp any host 10.1.1.1 eq 22 (5 matches) 30 permit icmp any any (2 matches) 40 deny ip any any (1 match) Based on this output, which statement is correct?

A.Traffic matching line 10 is permitted and counted correctly.
B.All traffic is permitted because line 40 has only 1 match.
C.Line 20 denies SSH traffic to host 10.1.1.1, and 5 packets matched.
D.The ACL has no effect because it is not applied to an interface.
AnswerA, C

Line 10 has 10 matches and is a permit statement, so traffic matching it is permitted.

Why this answer

Option A is correct because the ACL shows 10 matches for line 10, which permits TCP traffic from the 192.168.1.0/24 network to any destination on port 80 (HTTP). The match counter accurately reflects the number of packets that have matched this specific entry, confirming that permitted traffic is being counted correctly.

Exam trap

Cisco often tests the misconception that an ACL's match counters indicate the action taken (permit or deny) rather than just the number of packets that matched the entry, and that an ACL must be applied to an interface to have any effect, but the show access-lists output does not reveal whether it is applied.

How to eliminate wrong answers

Option B is wrong because the presence of a deny ip any any statement at line 40 does not permit all traffic; it denies all unmatched traffic, and the single match indicates that only one packet has been denied so far. Option D is wrong because the ACL can still be applied to an interface (e.g., via the ip access-group command) and the show access-lists output does not indicate whether it is applied or not; the ACL's effect depends on its application, but the output alone does not confirm it has no effect.

37
MCQhard

CoPP is rate-limiting legitimate routing traffic. Router R1 has: class-map match-any ROUTING, match protocol bgp, match protocol ospf, policy-map COPP, class ROUTING, police 10000 conform-action transmit exceed-action drop. BGP sessions flap. What is the root cause?

A.The class-map should match only BGP, not OSPF.
B.The police rate is too low, causing drops of BGP packets.
C.CoPP should be applied to the control plane, not the data plane.
D.BGP sessions flap due to MTU mismatch, not CoPP.
AnswerB

10 kbps is insufficient for BGP keepalives and updates, leading to flaps.

Why this answer

B is correct because the police rate of 10,000 bps (10 kbps) is too low for BGP traffic. BGP uses TCP port 179 and can generate bursts of packets during keepalive and update exchanges; if the policer drops BGP packets, the TCP session times out and flaps. The class-map correctly matches both BGP and OSPF, but the rate limit is insufficient for the combined control-plane traffic.

Exam trap

Cisco often tests the misconception that CoPP class-map matching must be exclusive, when in fact the root cause is an overly restrictive police rate that drops essential control-plane packets like BGP keepalives.

How to eliminate wrong answers

Option A is wrong because the class-map uses match-any logic, so matching both BGP and OSPF is valid; the issue is not the match criteria but the police rate. Option C is wrong because CoPP is specifically designed to be applied to the control plane via 'service-policy input CoPP' under 'control-plane' configuration; applying it to the data plane would not protect the control plane. Option D is wrong because MTU mismatch would cause packet fragmentation or loss at Layer 3, but the question explicitly states CoPP is rate-limiting traffic, and BGP flapping due to dropped keepalives is a classic symptom of policer drops, not MTU issues.

38
Multi-Selecthard

Which TWO statements about the behavior of IPv4 ACLs with the 'established' keyword are true? (Choose TWO.)

Select 1 answer
A.The 'established' keyword matches TCP packets that have the ACK or RST bit set.
B.The 'established' keyword can be applied to extended ACLs for UDP traffic to permit return packets.
C.The 'established' keyword checks the state of the session in the router's state table.
D.The 'established' keyword can be used in both standard and extended ACLs.
E.The 'established' keyword will match a TCP SYN packet sent from a client to initiate a connection.
AnswersA

Correct. The keyword checks for ACK or RST bits, which indicate packets belonging to an existing TCP session.

Why this answer

Option A is correct because the 'established' keyword in an extended IPv4 ACL matches TCP packets that have the ACK or RST bit set. This allows return traffic from an established session to pass through the ACL while blocking initial connection attempts, as a SYN packet alone would not have these bits set.

Exam trap

Cisco often tests the misconception that the 'established' keyword performs stateful inspection or works with UDP, when in reality it is a simple stateless TCP flag check limited to extended ACLs.

39
MCQhard

Management traffic is being dropped. Router R1 has: access-list 100 deny ip any any log, applied to VTY lines. Remote access via SSH fails, but console works. What is the root cause?

A.The ACL should permit SSH before the deny statement.
B.The VTY lines require transport input ssh, but the ACL is irrelevant.
C.The ACL is applied to the wrong interface.
D.The log keyword causes performance issues, not drops.
AnswerA

Without a permit statement for SSH, the deny blocks all traffic.

Why this answer

The ACL `access-list 100 deny ip any any log` applied to VTY lines denies all IP traffic, including SSH, before any permit statement can match. Since SSH traffic is denied, remote access fails. The correct fix is to add a `permit tcp any any eq 22` statement before the deny to allow SSH management traffic.

Exam trap

The trap here is that candidates often think the ACL is applied to an interface (Option C) or that the `log` keyword causes the problem, when in fact the issue is the order of ACL entries—specifically, the missing permit for SSH before the global deny.

How to eliminate wrong answers

Option B is wrong because the VTY lines do require `transport input ssh` for SSH access, but the ACL is directly relevant—it is the cause of the drops, and without a permit for SSH, even with correct transport settings, traffic is denied. Option C is wrong because the ACL is correctly applied to VTY lines (using `access-class`), not to an interface; applying it to an interface would affect transit traffic, not management traffic. Option D is wrong because the `log` keyword does not cause drops; it only generates log messages for matched packets, and the drops are due to the `deny` action itself.

40
MCQmedium

Given this configuration: ``` interface GigabitEthernet0/4 ip access-group BLOCK_FTP in ! ip access-list extended BLOCK_FTP deny tcp any any eq 21 deny tcp any any eq 20 permit ip any any ``` What is the effect of this ACL when applied inbound on GigabitEthernet0/4?

A.It blocks all FTP traffic entering the interface, but permits all other IP traffic.
B.It blocks all FTP traffic leaving the interface.
C.It permits FTP traffic and blocks all other IP traffic.
D.It has no effect because the ACL is missing a sequence number.
AnswerA

Correct. The ACL denies FTP ports and permits everything else.

Why this answer

The ACL is applied inbound on GigabitEthernet0/4, meaning it filters traffic as it enters the interface. The first two deny statements block TCP traffic destined for ports 21 (FTP control) and 20 (FTP data), which are the standard ports for FTP. The final permit ip any any allows all other IP traffic.

Thus, only FTP traffic is blocked, and all other IP traffic is permitted.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application, and the trap here is that candidates may confuse the direction (in vs out) and incorrectly think the ACL blocks outbound traffic, or they may overlook that the explicit permit ip any any is required to allow other traffic after the deny statements.

How to eliminate wrong answers

Option B is wrong because the ACL is applied inbound (ip access-group BLOCK_FTP in), so it filters traffic entering the interface, not leaving it; outbound filtering would require the out keyword. Option C is wrong because the ACL explicitly denies FTP traffic (ports 20 and 21) and permits all other IP traffic, so it blocks FTP, not permits it. Option D is wrong because Cisco IOS extended ACLs do not require sequence numbers; sequence numbers are optional and used for editing, not for the ACL to function.

41
MCQmedium

What is the default behavior of an IPv4 ACL regarding the order of evaluation when multiple entries match a packet?

A.The most specific entry is used regardless of order.
B.The first matching entry in the list is applied.
C.All matching entries are evaluated and the most permissive action is taken.
D.The last matching entry in the list overrides earlier ones.
AnswerB

Cisco ACLs process entries in order; the first match wins.

Why this answer

Cisco IOS processes IPv4 ACL entries in sequential order, from top to bottom. When a packet matches an entry, the associated permit or deny action is applied immediately, and no further entries are evaluated. This first-match rule is fundamental to ACL design and troubleshooting.

Exam trap

Cisco often tests the misconception that ACLs use longest-prefix matching like routing tables, but ACLs strictly use first-match order, not specificity.

How to eliminate wrong answers

Option A is wrong because ACLs do not use longest-prefix or most-specific matching; they use first-match logic, regardless of specificity. Option C is wrong because ACL evaluation stops at the first match; it does not continue to evaluate all entries or combine actions. Option D is wrong because the first matching entry is applied, not the last; later entries are never reached if a match occurs earlier.

42
MCQhard

What is the default behavior for an IPv4 ACL applied to an outbound interface when the packet is generated by the router itself (e.g., ping from the router)?

A.The outbound ACL filters the packet normally.
B.The packet bypasses the outbound ACL and is forwarded directly.
C.The packet is dropped by the implicit deny.
D.The ACL is applied only if the packet matches a permit statement.
AnswerB

Locally generated packets are not subject to outbound ACL filtering.

Why this answer

When a router generates a packet (e.g., from a ping sourced from its own IP address), the packet is not subject to outbound ACL filtering. Instead, it is forwarded directly out the interface because the ACL is applied only to packets that are routed through the router, not to locally generated traffic. This behavior is consistent with Cisco IOS, where outbound ACLs inspect packets entering the router from another interface, not those originating from the router itself.

Exam trap

Cisco often tests the misconception that outbound ACLs apply to all traffic leaving an interface, including locally generated packets, leading candidates to incorrectly select Option A or C.

How to eliminate wrong answers

Option A is wrong because outbound ACLs do not filter locally generated packets; they only filter packets that are routed through the router from another interface. Option C is wrong because the implicit deny at the end of an ACL applies only to packets that are actually processed by the ACL; locally generated packets bypass the ACL entirely, so they are not dropped by the implicit deny. Option D is wrong because the ACL is not applied at all to locally generated packets, regardless of whether they match a permit statement; the packet is forwarded without ACL inspection.

43
MCQhard

A network engineer configures an inbound IPv4 ACL on a router's interface to filter BGP updates from an eBGP neighbor. The ACL permits only specific prefixes. After applying the ACL, the BGP session remains established, but the router does not install any routes from that neighbor. What is the most likely explanation?

A.The ACL is blocking TCP port 179 packets, but keepalives are permitted due to a separate permit statement.
B.The ACL is applied outbound instead of inbound, filtering the router's own updates.
C.The BGP neighbor has a distribute-list that is filtering routes.
D.The ACL is using the wrong protocol number; BGP uses UDP port 179.
AnswerA

If the ACL permits keepalives (e.g., by allowing established connections) but denies the initial update packets, the session stays up but updates are filtered.

Why this answer

The ACL is applied inbound on the router's interface to filter BGP updates from the eBGP neighbor. If the ACL permits only specific prefixes but does not explicitly permit TCP port 179 (BGP's transport protocol), the TCP packets carrying BGP updates and keepalives may be blocked. However, the BGP session remains established because keepalives are permitted by a separate permit statement (or because the session was established before the ACL was applied and the TCP connection is not reset).

The router does not install routes because the ACL drops the BGP update messages (which contain the NLRI) while allowing keepalives to maintain the session.

Exam trap

Cisco often tests the distinction between filtering the BGP session (TCP port 179) and filtering the routing updates (NLRI) within the session; the trap here is that candidates assume an ACL that permits specific prefixes will automatically allow the BGP session to function, but the ACL must also permit the TCP transport for BGP to exchange updates.

How to eliminate wrong answers

Option B is wrong because if the ACL were applied outbound instead of inbound, it would filter the router's own outgoing updates, not the incoming updates from the neighbor; the router would still receive and process the neighbor's updates, so routes would be installed. Option C is wrong because a distribute-list on the neighbor would filter routes before they are sent to the router, but the question states the ACL is applied on the router's interface; the neighbor's distribute-list would not cause the router to fail to install routes after receiving them. Option D is wrong because BGP uses TCP port 179, not UDP; an ACL filtering by protocol number would need to match TCP (protocol 6), not UDP (protocol 17).

44
MCQmedium

Given the following configuration: ``` interface GigabitEthernet0/2 ip access-group FILTER_SSH in ! ip access-list extended FILTER_SSH permit tcp any host 192.168.1.10 eq 22 permit udp any host 192.168.1.10 eq 22 ``` What is the issue with this ACL?

A.The ACL permits UDP port 22, which is not used by SSH; this could allow unwanted UDP traffic.
B.The ACL is missing a deny statement at the end to block other traffic.
C.The ACL should use the 'established' keyword to allow return traffic.
D.The ACL should be applied outbound instead of inbound.
AnswerA

Correct. SSH uses TCP, so the UDP permit is unnecessary and potentially risky.

Why this answer

The ACL permits both TCP and UDP traffic to destination port 22. SSH uses only TCP port 22; UDP port 22 is not used by SSH. The second permit statement allows any UDP traffic to port 22, which could be unwanted (e.g., UDP-based attacks or non-SSH services).

This is the issue.

Exam trap

Cisco often tests the misconception that SSH uses both TCP and UDP, or that permitting UDP port 22 is harmless, when in fact only TCP port 22 is valid for SSH.

How to eliminate wrong answers

Option B is wrong because an ACL implicitly denies all traffic at the end; a deny statement is not required unless you need explicit logging or a specific deny action. Option C is wrong because the 'established' keyword is used for TCP stateful filtering to allow return traffic, but this ACL is filtering inbound traffic to a specific host; return traffic would be handled by outbound ACLs or stateful inspection, and the issue here is the UDP permit. Option D is wrong because applying the ACL outbound would filter traffic leaving the interface, but the intent is to filter inbound SSH traffic to the host; inbound application is correct for this purpose.

45
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of IPv4 ACLs into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, display all ACLs with show access-list; second, check interface bindings with show ip interface; third, verify hits on each entry; fourth, confirm the ACL is active using show running-config; fifth, test traffic with extended ping or traffic generator.

46
MCQmedium

Examine the following configuration snippet: ``` interface GigabitEthernet0/0 ip access-group BLOCK_TELNET out ! ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ``` What is the effect of applying this ACL outbound on GigabitEthernet0/0?

A.It blocks Telnet traffic entering the interface from the network.
B.It blocks Telnet traffic leaving the interface, but permits all other IP traffic.
C.It permits Telnet traffic and blocks all other IP traffic.
D.It has no effect because the ACL is missing a sequence number.
AnswerB

Correct. The outbound ACL denies Telnet and permits all other IP traffic.

Why this answer

The ACL is applied outbound on GigabitEthernet0/0, meaning it filters traffic as it leaves the interface. The first rule denies TCP traffic destined for port 23 (Telnet), and the second rule permits all other IP traffic. Therefore, Telnet sessions initiated from inside the network and exiting this interface are blocked, while all other traffic is allowed.

Exam trap

Cisco often tests the distinction between inbound and outbound ACL application, and the trap here is that candidates mistakenly think an outbound ACL filters traffic entering the interface rather than leaving it.

How to eliminate wrong answers

Option A is wrong because the ACL is applied outbound, not inbound; it blocks traffic leaving the interface, not entering. Option C is wrong because the ACL denies Telnet traffic (port 23) and permits all other IP traffic, not the reverse. Option D is wrong because sequence numbers are not required for named extended ACLs; the ACL is valid and functional as written.

47
MCQhard

DMVPN phase 2 network: spoke-to-spoke tunnels fail. Router Spoke1 has: tunnel source GigabitEthernet0/0, tunnel mode gre multipoint, ip nhrp network-id 1, ip nhrp nhs 10.0.0.1. Router Spoke2 shows: show dmvpn includes Spoke1 in NHRP cache but no spoke-to-spoke tunnel. What is the root cause?

A.Spoke1 and Spoke2 have different NHRP network IDs.
B.The hub is not configured with ip nhrp redirect, preventing shortcut initiation.
C.Spoke1 has a firewall blocking GRE traffic.
D.The tunnel mode should be point-to-point for spoke-to-spoke.
AnswerB

Without redirect, spokes do not learn each other's real IPs for direct tunnels.

Why this answer

In a DMVPN Phase 2 network, spoke-to-spoke tunnels require the hub to send NHRP redirect messages to inform spokes of the shortcut path. Without the 'ip nhrp redirect' command on the hub, spokes will not attempt to build direct tunnels, even if they have each other's NHRP cache entries. This is the root cause because Spoke1 and Spoke2 can see each other in the NHRP cache but lack the trigger to initiate the spoke-to-spoke GRE tunnel.

Exam trap

Cisco often tests the distinction between NHRP cache entries (which indicate registration and mapping) and the actual tunnel establishment, which requires additional mechanisms like NHRP redirect in Phase 2 or NHRP shortcut switching in Phase 3.

How to eliminate wrong answers

Option A is wrong because different NHRP network IDs would prevent the spokes from registering with the hub and appearing in each other's NHRP cache, but the scenario states Spoke1 is in the NHRP cache of Spoke2, so the network IDs must match. Option C is wrong because a firewall blocking GRE traffic would prevent any tunnel establishment, including the hub-to-spoke tunnels, but the scenario indicates that spoke-to-hub tunnels are working (since NHRP registration succeeded). Option D is wrong because DMVPN Phase 2 requires multipoint GRE (mGRE) on spokes to support multiple tunnel endpoints; point-to-point tunnels would only allow a single destination and break the DMVPN architecture.

48
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router. Both protocols have routes for the same prefix. The engineer also applies an inbound ACL on the OSPF interface to deny certain routes from being learned via OSPF. After the ACL is applied, the router still has the prefix in the routing table, but it is learned via EIGRP instead of OSPF. What is the most likely explanation?

A.The ACL blocks OSPF updates, so the router learns the prefix via EIGRP with a lower AD.
B.The ACL is applied outbound, so it filters OSPF routes being sent to the neighbor.
C.The router has a static route for the prefix with AD 1.
D.The OSPF process has a distribute-list that is filtering the route.
AnswerA

The ACL prevents OSPF from learning the route, but redistribution allows EIGRP to carry it, and EIGRP's lower AD makes it the best path.

Why this answer

Option A is correct because the inbound ACL on the OSPF interface blocks the OSPF-learned route from being installed in the routing table. Since mutual redistribution is configured, the same prefix is also learned via EIGRP. EIGRP has a default administrative distance (AD) of 90 for internal routes, which is lower than OSPF's AD of 110.

Therefore, the router selects the EIGRP route as the best path, and the prefix remains in the routing table but now points to the EIGRP next hop.

Exam trap

Cisco often tests the distinction between filtering routing updates via an interface ACL (which blocks the entire OSPF packet, preventing route learning) versus using a distribute-list (which filters specific routes within the routing process), leading candidates to confuse the two mechanisms.

How to eliminate wrong answers

Option B is wrong because the question explicitly states the ACL is applied inbound on the OSPF interface, not outbound; an outbound ACL would filter routes being sent to a neighbor, not affect routes received by the local router. Option C is wrong because a static route with AD 1 would always be preferred over both OSPF (AD 110) and EIGRP (AD 90), but the scenario describes the prefix being learned via EIGRP, not a static route; there is no mention of a static route being configured. Option D is wrong because a distribute-list under the OSPF process could filter the route, but the question states the ACL is applied directly on the OSPF interface, not as a distribute-list; a distribute-list is a separate filtering mechanism that operates on routing updates within the OSPF process, not on the interface itself.

49
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip interface GigabitEthernet0/1 | include access list Outgoing access list is 140 Inbound access list is not set Then the engineer runs: R1# show ip access-lists 140 Extended IP access list 140 10 deny icmp any any 20 permit ip any any What does this output indicate?

A.ACL 140 is applied outbound on GigabitEthernet0/1, denying ICMP and permitting all other traffic.
B.ACL 140 is applied inbound on GigabitEthernet0/1, blocking ICMP.
C.ACL 140 is not applied to any interface.
D.ACL 140 is applied both inbound and outbound.
AnswerA

The output shows the ACL and its entries.

Why this answer

The output of 'show ip interface GigabitEthernet0/1 | include access list' shows 'Outgoing access list is 140', confirming ACL 140 is applied outbound on that interface. The ACL itself contains two entries: 'deny icmp any any' (sequence 10) and 'permit ip any any' (sequence 20). Because the permit ip any any entry matches all IP traffic, including ICMP, the deny icmp entry is effectively overridden for outbound traffic, but the ACL still processes the deny first; however, since the permit ip any any follows, all IP traffic (including ICMP) is permitted outbound.

The correct interpretation is that ACL 140 is applied outbound, denying ICMP (though the permit overrides it) and permitting all other traffic.

Exam trap

Cisco often tests the misconception that 'permit ip any any' overrides all previous deny statements, but in reality, ACLs are processed top-down and the first matching entry determines the action, so the deny icmp entry still blocks ICMP despite the later permit all.

How to eliminate wrong answers

Option B is wrong because the 'show ip interface' output explicitly states 'Inbound access list is not set', so ACL 140 is not applied inbound. Option C is wrong because the output shows 'Outgoing access list is 140', confirming the ACL is applied outbound on the interface. Option D is wrong because the output shows only an outbound ACL; there is no inbound ACL applied, so it is not applied both inbound and outbound.

50
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 150 10 permit ip 10.0.0.0 0.255.255.255 any (500 matches) 20 deny ip any any (100 matches) Based on this output, which statement is correct?

A.Traffic from 10.0.0.0/8 is denied.
B.Traffic not from 10.0.0.0/8 is denied.
C.All traffic is permitted.
D.The ACL has no effect.
AnswerB

Line 20 denies all other traffic with 100 matches.

Why this answer

The ACL 150 has a permit entry for source 10.0.0.0/8 (wildcard 0.255.255.255) followed by a deny any any. Traffic matching the permit (from 10.0.0.0/8) is allowed, while all other traffic is denied by the implicit deny or the explicit deny entry. Thus, traffic not from the 10.0.0.0/8 network is denied, making option B correct.

Exam trap

Cisco often tests the misconception that an ACL with a permit entry followed by a deny entry permits all traffic, when in fact the deny explicitly blocks everything not matching the earlier permit.

How to eliminate wrong answers

Option A is wrong because the ACL permits traffic from 10.0.0.0/8 (500 matches), not denies it. Option C is wrong because the ACL includes an explicit deny ip any any (100 matches), which blocks all traffic not matching the permit, so not all traffic is permitted. Option D is wrong because the ACL is applied (matches are shown) and actively filters traffic, so it has an effect.

51
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 130 10 deny ip 192.168.1.0 0.0.0.255 any (0 matches) 20 permit ip any any (1000 matches) Based on this output, which statement is correct?

A.Traffic from 192.168.1.0/24 is being denied.
B.Traffic from 192.168.1.0/24 is being permitted.
C.The ACL is blocking all traffic.
D.The ACL is misconfigured because line 10 is not needed.
AnswerB

Since line 10 has no matches, traffic from that subnet is matched by line 20 (permit any any) and permitted.

Why this answer

Option B is correct because the ACL processes packets sequentially: line 10 denies traffic from 192.168.1.0/24 but has 0 matches, meaning no packets from that source have been evaluated. Line 20 permits all other traffic and has 1000 matches, so traffic from 192.168.1.0/24 is implicitly permitted by the permit any any statement since it is never denied.

Exam trap

The trap here is that candidates assume the deny statement is actively blocking traffic based on its configuration, ignoring the match counters that reveal no packets have actually matched that line.

How to eliminate wrong answers

Option A is wrong because the deny statement has 0 matches, indicating that no traffic from 192.168.1.0/24 has been denied; the permit any any statement allows all traffic, including from that subnet. Option C is wrong because the ACL is not blocking all traffic; line 20 permits any traffic, as shown by 1000 matches. Option D is wrong because the ACL is not misconfigured; line 10 may be intended for future use or logging, and its presence does not cause a misconfiguration—it simply has no effect until traffic from that subnet is seen.

52
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 110 IP packet debugging is on for access list 110 *Mar 1 00:15:22.345: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12345, dport 23, access list 110: matched line 10 deny tcp host 10.1.1.1 host 10.2.2.2 eq 23 *Mar 1 00:15:22.346: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12345, dport 23, access list 110: matched line 10 deny tcp host 10.1.1.1 host 10.2.2.2 eq 23 What does this output indicate?

A.Telnet traffic from 10.1.1.1 to 10.2.2.2 is being denied by ACL 110.
B.Telnet traffic from 10.1.1.1 to 10.2.2.2 is being permitted by ACL 110.
C.ACL 110 is applied outbound on GigabitEthernet0/0.
D.ACL 110 has no line 10.
AnswerA

The debug shows the packets match the deny line.

Why this answer

The debug output shows packets with source IP 10.1.1.1 and destination IP 10.2.2.2, protocol TCP, destination port 23 (Telnet), and the log explicitly states 'matched line 10 deny tcp host 10.1.1.1 host 10.2.2.2 eq 23'. This confirms that ACL 110 is denying Telnet traffic from 10.1.1.1 to 10.2.2.2. The flags 0x2 (SYN) and 0x10 (ACK) indicate the initial and subsequent packets of the Telnet session are both being denied.

Exam trap

The trap here is that candidates may misinterpret the 'matched line 10 deny' as a permit action or assume the ACL is applied outbound based on the source interface, but the debug only shows the packet's ingress interface and the ACL match result, not the ACL's application direction.

How to eliminate wrong answers

Option B is wrong because the debug output clearly shows 'deny' on line 10, not 'permit', so Telnet traffic is being blocked, not permitted. Option C is wrong because the debug output shows the source interface as GigabitEthernet0/0, but the ACL could be applied inbound or outbound; the debug does not specify the direction, and the 's=10.1.1.1 (GigabitEthernet0/0)' indicates the packet entered on that interface, but the ACL could be applied inbound or outbound on another interface. Option D is wrong because the debug output explicitly states 'matched line 10', proving that line 10 exists in ACL 110.

53
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip access-lists 160 Extended IP access list 160 10 permit tcp 10.0.0.0 0.255.255.255 any eq 22 20 permit tcp 172.16.0.0 0.15.255.255 any eq 22 30 permit tcp 192.168.0.0 0.0.255.255 any eq 22 40 deny ip any any What does this output indicate?

A.The ACL permits SSH from private IP ranges and denies all other traffic.
B.The ACL permits all traffic from private IP ranges.
C.The ACL denies SSH from private IP ranges.
D.The ACL is applied inbound on an interface and is blocking all traffic.
AnswerA

The entries permit SSH from the specified ranges and deny everything else.

Why this answer

The ACL permits TCP traffic to destination port 22 (SSH) from the three private IP ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) using wildcard masks that match the respective network prefixes. The final explicit deny ip any any statement blocks all other traffic, so only SSH from private IP ranges is permitted.

Exam trap

Cisco often tests the distinction between 'permit all traffic' and 'permit specific traffic (e.g., SSH only)', leading candidates to overlook the port-specific 'eq 22' and incorrectly assume the ACL permits all traffic from the private ranges.

How to eliminate wrong answers

Option B is wrong because the ACL only permits TCP traffic to port 22, not all traffic; it specifically filters by destination port. Option C is wrong because the permit statements allow SSH from private IP ranges, not deny it. Option D is wrong because the output shows only the ACL content, not its application direction or interface; the ACL could be applied inbound or outbound, and the deny ip any any does not inherently indicate it is blocking all traffic—it only blocks traffic not matching earlier permits.

54
MCQhard

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 160 10 permit tcp any any established (200 matches) 20 permit udp any any (100 matches) 30 deny ip any any (50 matches) Based on this output, what is the problem?

A.The ACL allows all UDP traffic.
B.The ACL blocks all traffic except established TCP and UDP.
C.The ACL permits all TCP traffic.
D.The ACL is correctly configured for a firewall.
AnswerB

Line 30 denies all other IP traffic, which may block new TCP connections and other protocols.

Why this answer

The ACL 160 permits only established TCP sessions (using the 'established' keyword, which matches TCP segments with the ACK or RST bit set) and all UDP traffic, while denying everything else. This means non-established TCP traffic (e.g., initial SYN packets) is blocked, so the ACL effectively blocks all traffic except established TCP and UDP, making option B correct.

Exam trap

Cisco often tests the misconception that an ACL with 'permit tcp any any established' allows all TCP traffic, when in fact it only permits TCP segments with the ACK or RST bit set, blocking initial SYN packets.

How to eliminate wrong answers

Option A is wrong because the ACL does allow all UDP traffic (as shown by the 'permit udp any any' line), so this is not a problem—it is a correct observation but not the issue. Option C is wrong because the ACL does not permit all TCP traffic; it only permits established TCP sessions, blocking initial TCP handshake packets. Option D is wrong because the ACL is not correctly configured for a firewall; a proper firewall ACL should typically permit only specific necessary traffic and deny all else, but here it allows all UDP traffic without restriction, which is a security risk.

55
MCQeasy

Which of the following is true regarding the placement of an IPv4 ACL to filter traffic between two internal subnets?

A.Standard ACLs should be placed closest to the source.
B.Extended ACLs should be placed closest to the destination.
C.Standard ACLs should be placed closest to the destination.
D.Placement does not affect ACL functionality.
AnswerC

Standard ACLs lack destination filtering; placing near destination prevents blocking traffic to other networks.

Why this answer

Standard ACLs filter based solely on the source IP address and lack the granularity to distinguish between different destination subnets. Placing a standard ACL closest to the destination ensures that traffic is filtered only after it has reached the target subnet, preventing the ACL from inadvertently blocking traffic to other destinations that share the same source. This placement aligns with the Cisco best practice of placing standard ACLs near the destination to minimize unintended filtering.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed closest to the source (like extended ACLs), but the correct practice is to place standard ACLs closest to the destination due to their lack of destination-based filtering.

How to eliminate wrong answers

Option A is wrong because standard ACLs should be placed closest to the destination, not the source; placing them near the source can block all traffic from a source regardless of the destination, which is overly restrictive and can disrupt traffic to other subnets. Option B is wrong because extended ACLs should be placed closest to the source, not the destination; placing them near the destination wastes bandwidth by allowing unwanted traffic to traverse the network before being filtered. Option D is wrong because placement directly affects ACL functionality and efficiency; improper placement can cause unintended filtering or unnecessary network congestion.

56
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show access-lists 120 Extended IP access list 120 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 20 permit tcp 192.168.2.0 0.0.0.255 any eq 443 30 deny ip any any log What does this output indicate?

A.The ACL permits HTTP traffic from 192.168.1.0/24 and HTTPS traffic from 192.168.2.0/24, and denies all other traffic with logging.
B.The ACL permits all traffic from 192.168.1.0/24 and 192.168.2.0/24.
C.The ACL denies all traffic from 192.168.1.0/24 and 192.168.2.0/24.
D.The ACL is applied inbound on an interface and is blocking all traffic.
AnswerA

The ACL entries match this description.

Why this answer

The output shows an extended ACL with two permit statements: the first permits TCP traffic from 192.168.1.0/24 to any destination on port 80 (HTTP), and the second permits TCP traffic from 192.168.2.0/24 to any destination on port 443 (HTTPS). The final deny ip any any log statement explicitly denies all other IP traffic and logs matches, which is standard practice for ACL troubleshooting. Therefore, option A correctly describes the ACL's behavior.

Exam trap

Cisco often tests the ability to read ACL output precisely, and the trap here is that candidates may overlook the specific port restrictions (eq 80 and eq 443) and assume the ACL permits all traffic from the source networks, or misinterpret the 'log' keyword as affecting the permit/deny action.

How to eliminate wrong answers

Option B is wrong because the ACL does not permit all traffic from the specified subnets; it only permits HTTP from 192.168.1.0/24 and HTTPS from 192.168.2.0/24, and denies everything else. Option C is wrong because the ACL does not deny traffic from those subnets; it explicitly permits specific traffic from them. Option D is wrong because the output does not indicate where the ACL is applied (inbound or outbound) or that it is blocking all traffic; it only shows the ACL's configured entries, and the implicit deny at the end is standard, not a sign of blocking all traffic.

57
Drag & Dropmedium

Drag and drop the steps to apply and verify an extended IPv4 ACL on a router interface into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: first, create the ACL with permit/deny statements; second, verify the ACL syntax with show access-list; third, apply it inbound on the interface; fourth, verify the interface configuration with show ip interface; fifth, test connectivity with ping or traceroute.

58
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 140 10 deny tcp any host 10.1.1.1 eq 23 (15 matches) 20 permit tcp any host 10.1.1.1 eq 22 (20 matches) 30 permit ip any any (5 matches) Based on this output, what is the problem?

A.SSH to 10.1.1.1 is being denied.
B.Telnet to 10.1.1.1 is being denied, which may be intentional.
C.All traffic is permitted because of line 30.
D.The ACL is not applied to any interface.
AnswerB

Line 10 denies Telnet with 15 matches, so Telnet traffic is blocked.

Why this answer

Option B is correct because the ACL explicitly denies TCP traffic to host 10.1.1.1 on port 23 (Telnet) with line 10, and the match count of 15 confirms that Telnet attempts are being blocked. While this may be intentional to enforce secure management via SSH (permitted on port 22), the question asks for the problem, and the output shows Telnet is being denied. The ACL does not block SSH (line 20 permits it), so the issue is specifically that Telnet access is denied.

Exam trap

Cisco often tests the misconception that a 'permit ip any any' at the end of an ACL overrides earlier deny statements, but candidates must remember that ACLs are processed sequentially and the first match wins.

How to eliminate wrong answers

Option A is wrong because SSH to 10.1.1.1 is permitted by line 20 (permit tcp any host 10.1.1.1 eq 22) with 20 matches, so SSH is not being denied. Option C is wrong because line 30 (permit ip any any) only applies to traffic that has not matched earlier lines; since Telnet to 10.1.1.1 matches line 10 (deny), it is blocked regardless of line 30. Option D is wrong because the output shows match counts (15, 20, 5), which indicate the ACL is applied to an interface and processing traffic; an unapplied ACL would show zero matches.

59
MCQhard

OSPF is configured on a multi-access link between R1 and R2. R1 has: interface GigabitEthernet0/0, ip ospf network point-to-point. R2 has default broadcast network type. R1 shows: show ip ospf neighbor includes R2 in FULL state, but R2 shows: show ip ospf neighbor includes R1 in INIT state. What is the root cause?

A.R1's OSPF process ID does not match R2's.
B.The network type mismatch causes R1 to use unicast hellos, while R2 expects multicast.
C.R1 has a higher router ID, preventing adjacency.
D.R2's interface is passive, blocking OSPF hellos.
AnswerB

Point-to-point uses unicast; broadcast uses multicast, leading to one-way communication.

Why this answer

When R1 is configured with 'ip ospf network point-to-point' on a multi-access link, it changes its OSPF behavior to use unicast hellos to the neighbor's IP address instead of the standard multicast address 224.0.0.5. R2, with the default broadcast network type, expects to receive OSPF hellos on the multicast address. Because R1 sends unicast hellos, R2 never receives them, so R2's neighbor state for R1 remains INIT.

R1, however, receives R2's multicast hellos and can form a full adjacency from its perspective, leading to the asymmetric state.

Exam trap

Cisco often tests the asymmetric neighbor state (FULL on one side, INIT on the other) as a signature symptom of OSPF network type mismatch, tempting candidates to blame mismatched process IDs or passive interfaces instead.

How to eliminate wrong answers

Option A is wrong because OSPF process IDs are locally significant and do not need to match between routers for adjacency formation. Option C is wrong because a higher router ID does not prevent adjacency; the router ID is used for DR/BDR election in broadcast networks, but with a point-to-point network type on R1, no DR/BDR election occurs, and a higher router ID would not block adjacency. Option D is wrong because a passive interface would suppress all OSPF hellos, causing both sides to show no neighbor or only INIT state, not the asymmetric FULL/INIT state described.

60
MCQhard

When using the 'access-group' command to apply an ACL to an interface, what is the default direction if none is specified?

A.Inbound
B.Outbound
C.The command defaults to inbound.
D.The command is rejected without a direction keyword.
AnswerD

The access-group command syntax requires either 'in' or 'out'.

Why this answer

The 'access-group' command in Cisco IOS requires a direction keyword (either 'in' or 'out') to specify whether the ACL filters inbound or outbound traffic. If no direction is provided, the command is rejected with an error message because the direction is a mandatory parameter. This behavior is consistent across all Cisco IOS versions and platforms.

Exam trap

The trap here is that Cisco often tests the misconception that ACLs default to inbound when no direction is specified, but the command is actually rejected without the mandatory keyword.

How to eliminate wrong answers

Option A is wrong because the command does not default to inbound; it requires an explicit direction keyword. Option B is wrong because the command does not default to outbound; the direction must be specified. Option C is wrong because the command does not default to inbound; it is rejected without a direction keyword.

61
MCQmedium

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# debug ip packet 100 detail IP packet debugging is on for access list 100 *Mar 1 00:12:34.567: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto UDP, flags 0x0, sport 12345, dport 80, access list 100: matched line 10 permit udp host 10.1.1.1 host 10.2.2.2 eq 80 *Mar 1 00:12:35.123: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x2, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 *Mar 1 00:12:35.124: IP: s=10.1.1.1 (GigabitEthernet0/0), d=10.2.2.2, len 100, proto TCP, flags 0x10, sport 12346, dport 443, access list 100: matched line 20 deny tcp host 10.1.1.1 host 10.2.2.2 eq 443 What does this output indicate?

A.The ACL is applied inbound on GigabitEthernet0/0 and is permitting UDP traffic to port 80 while denying TCP traffic to port 443.
B.The ACL is applied outbound on GigabitEthernet0/0 and is permitting all traffic.
C.The ACL is misconfigured because TCP traffic to port 443 should be permitted.
D.The ACL is not applied to any interface because debug ip packet shows only the ACL number.
AnswerA

The debug output shows that UDP traffic to port 80 matches line 10 (permit) and TCP traffic to port 443 matches line 20 (deny).

Why this answer

The debug output shows packets entering GigabitEthernet0/0 (source interface) and matching ACL 100. The first packet (UDP to port 80) matches line 10 (permit), while subsequent TCP packets to port 443 match line 20 (deny). Since the source interface is the inbound interface, the ACL is applied inbound.

This confirms Option A: the ACL permits UDP to port 80 and denies TCP to port 443.

Exam trap

Cisco often tests the ability to distinguish inbound vs. outbound ACL application by interpreting the source and destination IP addresses in debug output, where the trap is that candidates mistakenly assume the ACL is outbound because the destination IP is different, ignoring that the source interface reveals the direction.

How to eliminate wrong answers

Option B is wrong because the debug output explicitly shows packets being denied (matched line 20 deny), not permitted, and the source interface indicates inbound, not outbound, application. Option C is wrong because the ACL is not misconfigured; it is functioning as designed by denying TCP to port 443, and there is no requirement that TCP to port 443 must be permitted. Option D is wrong because the debug output includes the interface (GigabitEthernet0/0) in the source field, confirming the ACL is applied to that interface; the 'debug ip packet' command with an ACL number only filters packets matching that ACL, but the interface is still shown in the debug message.

62
MCQhard

A network engineer configures Control Plane Policing (CoPP) on a router with a policy-map that applies a rate-limit of 10000 pps to the class-default class. After applying the policy, the router's CPU utilization spikes and OSPF neighbors go down. What is the most likely explanation?

A.OSPF packets are matched by class-default and rate-limited, causing hello packets to be dropped.
B.The rate-limit is in bps, not pps, so it is too low.
C.The policy-map is applied to the wrong interface; it should be applied to the management interface.
D.The router has an ACL that blocks OSPF packets before CoPP processes them.
AnswerA

Without an explicit class for OSPF, it falls into class-default and is subject to the rate-limit, which can drop hellos.

Why this answer

Option A is correct because CoPP applies the policy-map to the control plane, and the class-default class matches all traffic not explicitly classified by other classes. By rate-limiting class-default to 10000 pps, OSPF hello packets (which are not explicitly matched in a higher-priority class) are subjected to the rate limit. If the rate limit is too low, OSPF hellos are dropped, causing neighbor adjacencies to fail and triggering CPU spikes due to route recalculation.

Exam trap

Cisco often tests the misconception that class-default is safe to rate-limit aggressively, but the trap here is that critical routing protocol packets (like OSPF hellos) are implicitly matched by class-default unless explicitly classified into a higher-priority class, causing them to be dropped and breaking adjacencies.

How to eliminate wrong answers

Option B is wrong because CoPP rate-limits in pps (packets per second) by default when using the 'police rate 10000 pps' command; specifying bps would require a different syntax (e.g., 'police 10000000'), and the question explicitly states '10000 pps', so the unit is correct. Option C is wrong because CoPP is applied globally to the control plane via 'service-policy input' under 'control-plane' configuration, not to a specific interface; applying it to the management interface would not affect OSPF control-plane traffic. Option D is wrong because CoPP processes packets after ACL-based filtering on interfaces; if an ACL blocked OSPF before CoPP, OSPF neighbors would never form, not just after applying the policy, and the CPU spike would not be directly caused by ACL drops.

63
MCQmedium

Examine the following configuration: ``` interface GigabitEthernet0/3 ip access-group WEB_ONLY out ! ip access-list extended WEB_ONLY permit tcp any any eq 80 permit tcp any any eq 443 ``` What is the effect of this ACL when applied outbound on GigabitEthernet0/3?

A.It permits all web traffic entering the interface.
B.It permits only HTTP and HTTPS traffic to leave the interface; all other traffic is denied.
C.It permits all TCP traffic to any destination.
D.It has no effect because the ACL is missing a deny statement.
AnswerB

Correct. The ACL permits web traffic and implicitly denies everything else.

Why this answer

The ACL named WEB_ONLY explicitly permits TCP traffic destined for ports 80 (HTTP) and 443 (HTTPS). When applied outbound on GigabitEthernet0/3, it filters traffic leaving the interface. Since every ACL has an implicit deny any at the end, only HTTP and HTTPS traffic is permitted outbound; all other traffic is denied.

Exam trap

Cisco often tests the implicit deny any concept and the distinction between inbound and outbound ACL application, causing candidates to overlook that an ACL without an explicit deny still denies all non-permitted traffic.

How to eliminate wrong answers

Option A is wrong because the ACL is applied outbound, not inbound, so it filters traffic leaving the interface, not entering. Option C is wrong because the ACL only permits TCP traffic to ports 80 and 443, not all TCP traffic to any destination. Option D is wrong because an explicit deny statement is not required; every ACL has an implicit deny any at the end, so the ACL does have an effect by denying all other traffic.

64
MCQmedium

In an extended IPv4 ACL, what is the default action if only a source and destination are specified without a protocol?

A.The ACL matches all IP traffic.
B.The ACL matches only TCP traffic.
C.The command is rejected by the IOS parser.
D.The ACL matches only UDP traffic.
AnswerC

Extended ACL syntax requires a protocol field; omission causes a syntax error.

Why this answer

In an extended IPv4 ACL, the protocol keyword is mandatory. If you omit it, the IOS parser rejects the command because it cannot determine which protocol to filter. The correct syntax requires a protocol (e.g., ip, tcp, udp) after the permit or deny keyword; without it, the parser returns an error.

Exam trap

Cisco often tests the mandatory nature of the protocol field in extended ACLs, trapping candidates who assume a default protocol (like IP, TCP, or UDP) is applied when none is specified.

How to eliminate wrong answers

Option A is wrong because an extended ACL does not default to matching all IP traffic when only source and destination are specified; the protocol field is required, and omitting it causes a parser error, not an implicit 'permit ip any any'. Option B is wrong because there is no default protocol of TCP; the ACL command is invalid without a protocol keyword. Option D is wrong because there is no default protocol of UDP; the command is rejected, not interpreted as UDP traffic.

65
MCQeasy

A network engineer runs the following command to troubleshoot an IPv4 Access Control Lists issue: R1# show ip interface GigabitEthernet0/0 | include access list Outgoing access list is 102 Inbound access list is not set Then the engineer checks: R1# show ip access-lists 102 Extended IP access list 102 10 deny tcp any any eq 23 20 permit ip any any What does this output indicate?

A.ACL 102 is applied outbound on GigabitEthernet0/0, denying Telnet traffic and permitting all other traffic.
B.ACL 102 is applied inbound on GigabitEthernet0/0, blocking Telnet.
C.ACL 102 is not applied to any interface.
D.ACL 102 is applied inbound and outbound on GigabitEthernet0/0.
AnswerA

The output shows the ACL is outbound and its entries.

Why this answer

The output of 'show ip interface GigabitEthernet0/0 | include access list' shows 'Outgoing access list is 102', which means ACL 102 is applied in the outbound direction on that interface. The ACL itself contains a deny statement for TCP traffic destined to port 23 (Telnet) followed by a permit ip any any, so it denies Telnet traffic while permitting all other IP traffic. Option A correctly summarizes this behavior.

Exam trap

Cisco often tests the distinction between the ACL being 'applied' to an interface versus the ACL's content, and the trap here is that candidates see the ACL content and assume it is applied inbound without checking the interface output for direction.

How to eliminate wrong answers

Option B is wrong because the interface output explicitly states 'Inbound access list is not set', so ACL 102 is not applied inbound. Option C is wrong because the interface output confirms ACL 102 is applied outbound on GigabitEthernet0/0. Option D is wrong because the interface output shows only an outbound ACL; the inbound access list is not set, so it is not applied in both directions.

66
Multi-Selecthard

Which TWO statements about the 'time-range' feature in IPv4 ACLs are correct? (Choose TWO.)

Select 2 answers
A.A time-range can include both absolute and periodic statements simultaneously.
B.The time-range is applied to the entire ACL, not individual ACEs.
C.If the router's clock is not set, the time-range will be considered active at all times.
D.The time-range feature can only be used with extended named ACLs, not standard ACLs.
E.The time-range must be configured before it is referenced in an ACE.
AnswersA, E

Correct. A time-range can have one absolute statement and multiple periodic statements; the ACE is active if any of the conditions are met.

Why this answer

Option A is correct because the 'time-range' feature in Cisco IOS allows both absolute (specific start/end dates) and periodic (recurring days/times) statements to be combined within a single time-range definition. This enables flexible scheduling, such as allowing traffic only during business hours on weekdays while also specifying an absolute end date for the policy.

Exam trap

Cisco often tests the misconception that a time-range applies to the entire ACL rather than individual ACEs, leading candidates to incorrectly select option B.

67
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip access-lists Extended IP access list 120 10 permit tcp 10.0.0.0 0.255.255.255 any eq www (1000 matches) 20 permit udp any any eq dns (500 matches) 30 deny ip any any (200 matches) Based on this output, what is the problem?

A.The ACL is correctly permitting web and DNS traffic.
B.The ACL is blocking all traffic except web and DNS, which may be too restrictive.
C.The ACL has no effect because it is not applied.
D.The ACL allows all traffic because of the permit statements.
AnswerB

The deny ip any any with matches shows that other traffic is being denied, which could be a problem.

Why this answer

Option B is correct because the ACL explicitly permits only TCP port 80 (www) and UDP port 53 (dns) traffic, while the final deny ip any any statement blocks all other traffic. With only 1000 matches for web and 500 for DNS, the ACL is likely too restrictive for a production network, as it would drop essential traffic such as routing protocols, management traffic (e.g., SSH, SNMP), or other application flows. The output shows the ACL is present and has hit counts, but its restrictive nature is the problem.

Exam trap

Cisco often tests the misconception that an ACL with permit statements is automatically 'correct' or 'permissive,' when in fact the explicit deny at the end makes it highly restrictive, and candidates may overlook the need to evaluate whether the ACL matches the intended security policy.

How to eliminate wrong answers

Option A is wrong because the ACL does not 'correctly permit' all necessary traffic; it only permits web and DNS, while blocking everything else, which is typically too restrictive for a functioning network. Option C is wrong because the ACL is defined and has match counts (1000, 500, 200), indicating it is applied to an interface; an unapplied ACL would show zero matches. Option D is wrong because the permit statements do not allow all traffic; the explicit deny ip any any at line 30 blocks all traffic not matching the earlier permit entries.

Ready to test yourself?

Try a timed practice session using only IPv4 Access Control Lists questions.