Back to Cisco CCNP ENARSI 300-410 questions

Scenario-based practice

Access Control List (ACL) Scenarios

Practise 300-410 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

15
scenario questions
300-410
exam code
Cisco
vendor

Scenario guide

How to approach access control list (acl) scenarios

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.

Quick answer

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Related practice questions

Related 300-410 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediumdrag order
Full question →

Drag and drop the steps to troubleshoot Device Access Control adjacency or connectivity failures into the correct order, from first to last.

Question 2mediumdrag order
Full question →

Drag and drop the steps to verify and validate Device Access Control operational state into the correct order, from first to last.

Question 3harddrag order
Study the full ACL explanation →

Drag and drop the steps to troubleshoot IPv4 ACL adjacency or connectivity failures into the correct order, from first to last.

Question 4mediumdrag order
Study the full ACL explanation →

Drag and drop the steps to apply and verify an extended IPv4 ACL on a router interface into the correct order, from first to last.

Question 5mediummultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting a connectivity issue between two routers R1 and R2 connected via GigabitEthernet0/0. The engineer notices that R1 can ping its own IPv6 address 2001:db8:1::1/64, but cannot ping R2's interface address 2001:db8:1::2/64. The output of 'show ipv6 interface GigabitEthernet0/0' on R1 indicates that IPv6 is enabled and the interface is up/up. The engineer checks the access list applied to the interface and sees an inbound IPv6 ACL that permits only ICMPv6 echo requests from a specific source. What is the most likely cause of the ping failure?

Question 6mediummultiple choice
Study the full IPv6 explanation →

Consider the following configuration:

ipv6 access-list FILTER

permit ipv6 2001:db8:3::/48 any
 deny ipv6 any any

interface GigabitEthernet0/5

ipv6 traffic-filter FILTER in ipv6 verify unicast source reachable-via rx

A packet arrives on GigabitEthernet0/5 with source 2001:db8:3::100 and destination 2001:db8:4::1. The route for 2001:db8:3::/48 points out interface GigabitEthernet0/6. What happens?

Question 7mediummultiple choice
Study the full IPv6 explanation →

Review this configuration:

route-map RMAP permit 10 match ipv6 address prefix-list PREFIX set interface null0 ! ipv6 prefix-list PREFIX seq 5 permit 2001:db8:5::/48 !

interface GigabitEthernet0/6

ipv6 verify unicast source reachable-via any allow-default

What is the purpose of the 'allow-default' keyword?

Question 8easymultiple choice
Study the full IPv6 explanation →

In IPv6, what is the default action for an access-list entry that does not specify a protocol?

Question 9mediummulti select
Study the full ACL explanation →

Which TWO configuration steps are required to implement IPv6 traffic filtering using a named ACL on a Cisco router? (Choose TWO.)

Question 10hardmultiple choice
Review the full OSPF breakdown →

A large enterprise network uses OSPFv3 for IPv6 routing. Router R1 and R2 are connected via a multi-access Ethernet link. R1 is configured with 'ipv6 ospf network point-to-point' while R2 uses the default broadcast network type. R1 has an IPv6 ACL applied inbound on its interface that permits only OSPF (89) and denies all other traffic. R2 is unable to form a full OSPF adjacency with R1. R2 shows 'OSPFv3 adjacency state is EXSTART/EXCHANGE' and logs 'Bad LSReq'. What is the root cause?

Question 11hardmultiple choice
Study the full EIGRP explanation →

A DMVPN network uses IPv6 with EIGRP as the routing protocol. Spoke routers R2 and R3 are behind NAT and use mGRE tunnels. The hub R1 has an IPv6 ACL applied inbound on the tunnel interface that permits only EIGRP and denies all other IPv6 traffic. Spoke-to-spoke traffic fails even though direct tunnels are established. R2 shows 'ping 2001:db8:3::1 source loopback0' fails, but 'ping 2001:db8:1::1' (hub) succeeds. What is the root cause?

Question 12hardmultiple choice
Read the full MPLS explanation →

An MPLS network uses LDP for label distribution with IPv6. Router R1 and R2 are LDP peers. R1 has an IPv6 ACL applied inbound on the interface facing R2 that permits only TCP port 646 (LDP) and denies all other traffic. R2 shows 'show mpls ldp neighbor' indicates the neighbor is up, but 'show mpls forwarding-table' shows no labels for IPv6 prefixes. R1's 'show mpls ldp bindings' shows labels for all prefixes. What is the root cause?

Question 13hardmultiple choice
Open the full BGP breakdown →

A dual-stack network uses BGP for IPv6 between AS 100 and AS 200. Router R1 (AS 100) has an inbound route-map that sets local preference to 200 for routes from R2 (AS 200). R1 also has an IPv6 ACL applied inbound that permits only BGP (TCP 179) and denies ICMPv6. R2 advertises a prefix 2001:db8:1::/48. R1's BGP table shows the prefix with local preference 200, but 'show ipv6 route' does not install it. R1 has uRPF strict mode on the interface facing R2. What is the root cause?

Question 14hardmultiple choice
Review the full OSPF breakdown →

An enterprise uses VRF-lite with IPv6. VRF A on R1 leaks routes to VRF B using route-target import/export. R1 has an IPv6 ACL applied inbound on the interface in VRF A that permits only OSPFv3 and denies all other traffic. R1's VRF B has a static default route pointing to a next-hop in VRF A. Traffic from VRF B to the internet fails. R1 shows 'ping vrf B 2001:db8:2::1' fails, but 'ping vrf A 2001:db8:2::1' succeeds. What is the root cause?

Question 15hardmultiple choice
Review the full OSPF breakdown →

An OSPFv3 network has multiple areas. Area 0 includes R1 and R2. Area 1 includes R2 and R3. R2 is an ABR. R1 has an IPv6 ACL applied inbound on the interface to R2 that permits only OSPFv3 and denies all other traffic. R3 advertises a prefix 2001:db8:3::/48 into Area 1. R1's routing table shows the prefix but with a next-hop of R2. R1's uRPF is configured in strict mode on the interface to R2. Traffic from R1 to 2001:db8:3::1 is dropped. R1 shows 'show ipv6 cef 2001:db8:3::/48' points to R2's link-local address. What is the root cause?

These 300-410 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 300-410 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.