Question 195 of 2,152
VRF-LitehardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the ACL on the VRF interface is blocking management access because it lacks a permit statement for the management station’s source IP address. Even though the ACL correctly permits SNMP and SSH protocols globally, it is applied inbound on the VRF interface, meaning any traffic entering that interface—including management traffic from the global routing table—must match a permit entry based on source IP, not just the protocol. If the management station’s source IP is not explicitly allowed, the implicit deny at the end of the ACL drops the packets, preventing the router’s VRF interface IP from being reachable. This scenario tests your understanding of how VRF-aware ACLs interact with management plane traffic in the Cisco CCNP ENARSI 300-410 exam, a common trap where engineers focus on protocol permits but overlook source IP filtering. A key memory tip: on VRF interfaces, an ACL is a bouncer checking IDs (source IPs), not just the type of party (protocol).

300-410 VRF-Lite Practice Question

This 300-410 practice question tests your understanding of vrf-lite. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Router R1 has an ACL applied to interface Gig0/0 in VRF-A that permits only specific management traffic. The ACL is: access-list 100 permit udp any any eq snmp, access-list 
100 permit tcp any any eq ssh, access-list 
100 deny ip any any. The router's SNMP and SSH services are configured globally. Management stations in the global table cannot reach the router's VRF interface IP. What is the root cause?
Question 1hardmultiple choice
Study the full ACL explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The ACL does not permit the source IP address of the management station, causing traffic to be denied.

The ACL on the VRF interface blocks all traffic except SNMP and SSH. However, management traffic from the global table must enter the VRF interface. The ACL is applied inbound, so traffic from the global table to the VRF interface IP is subject to the ACL. If the management station's traffic is not matching the permit statements (e.g., source port or protocol), it is denied. But the more subtle issue is that the ACL does not permit ICMP or other necessary traffic, but the root cause is that the ACL is applied to the VRF interface, and the implicit deny blocks all other traffic, including possibly the return traffic. However, the question states that SNMP and SSH are permitted, so if those are used, they should work. The issue might be that the management station is trying to reach the interface IP, but the ACL is applied inbound, and the traffic is sourced from the global table. The root cause is that the ACL is applied to the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; the ACL may be blocking the traffic if the source is not matching. But the most common cause is that the ACL does not permit the management station's source IP, or the ACL is applied in the wrong direction. However, the scenario implies that the ACL is correctly permitting SNMP and SSH, but the management stations still cannot reach. The root cause is that the VRF interface IP is not reachable from the global table because there is no route back, or the ACL is applied outbound on the global interface. But given the information, the likely root cause is that the ACL is missing a permit for the management station's source IP.

Key principle: ACLs process entries top to bottom and stop at the first match. Entry order and interface direction matter as much as the permit or deny statement.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL does not permit the source IP address of the management station, causing traffic to be denied.

    Why this is correct

    Correct: The ACL permits only specific protocols but does not specify source IP, so any source is allowed for those protocols. However, if the management station uses a different protocol (e.g., HTTP), it is denied. The question states SNMP and SSH are used, so the issue may be that the management station's IP is not permitted, but the ACL does not filter by source IP. The root cause is that the ACL is applied inbound on the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; if the global table has no route to the VRF interface, traffic is dropped before the ACL. The most likely root cause is missing route.

    Related concept

    Standard ACLs match source addresses.

  • The ACL should be applied outbound on the VRF interface.

    Why it's wrong here

    Incorrect: Direction may affect, but the root cause is likely routing.

  • The management station must be in the same VRF.

    Why it's wrong here

    Incorrect: Management can be from global table if routing is correct.

  • The ACL is missing a permit statement for the management station's source IP.

    Why it's wrong here

    Incorrect: The ACL permits any source for SNMP and SSH; the issue is not source IP filtering.

Common exam traps

Common exam trap: ACLs stop at the first match

ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.

Detailed technical explanation

How to think about this question

ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.

KKey Concepts to Remember

  • Standard ACLs match source addresses.
  • Extended ACLs can match source, destination, protocol and ports.
  • The first matching ACL entry is used.
  • There is usually an implicit deny at the end.

TExam Day Tips

  • Check inbound versus outbound direction.
  • Read the ACL from top to bottom.
  • Look for a broader permit or deny above the intended line.

Key takeaway

ACLs process entries top to bottom and stop at the first match. Entry order and interface direction matter as much as the permit or deny statement.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Review ACL processing order, placement rules (standard near destination, extended near source), and inbound vs outbound direction. Study wildcard masks and implicit deny. Then practise related 300-410 ACL questions on filtering logic and placement.

Related practice questions

Related 300-410 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 300-410 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 300-410 question test?

VRF-Lite — This question tests VRF-Lite — Standard ACLs match source addresses..

What is the correct answer to this question?

The correct answer is: The ACL does not permit the source IP address of the management station, causing traffic to be denied. — The ACL on the VRF interface blocks all traffic except SNMP and SSH. However, management traffic from the global table must enter the VRF interface. The ACL is applied inbound, so traffic from the global table to the VRF interface IP is subject to the ACL. If the management station's traffic is not matching the permit statements (e.g., source port or protocol), it is denied. But the more subtle issue is that the ACL does not permit ICMP or other necessary traffic, but the root cause is that the ACL is applied to the VRF interface, and the implicit deny blocks all other traffic, including possibly the return traffic. However, the question states that SNMP and SSH are permitted, so if those are used, they should work. The issue might be that the management station is trying to reach the interface IP, but the ACL is applied inbound, and the traffic is sourced from the global table. The root cause is that the ACL is applied to the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; the ACL may be blocking the traffic if the source is not matching. But the most common cause is that the ACL does not permit the management station's source IP, or the ACL is applied in the wrong direction. However, the scenario implies that the ACL is correctly permitting SNMP and SSH, but the management stations still cannot reach. The root cause is that the VRF interface IP is not reachable from the global table because there is no route back, or the ACL is applied outbound on the global interface. But given the information, the likely root cause is that the ACL is missing a permit for the management station's source IP.

What should I do if I get this 300-410 question wrong?

Review ACL processing order, placement rules (standard near destination, extended near source), and inbound vs outbound direction. Study wildcard masks and implicit deny. Then practise related 300-410 ACL questions on filtering logic and placement.

What is the key concept behind this question?

Standard ACLs match source addresses.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 300-410 practice questions

Last reviewed: Jun 18, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 300-410 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 300-410 exam.