- A
The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering.
Correct because if the ACL is applied outbound, it filters traffic leaving the interface; ping traffic from 10.1.1.0/24 to 10.2.2.0/24 would be leaving the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied outbound, the deny ip any any would block ping, so this might not be the issue. Actually, the most likely reason is that the ACL is applied outbound, but the scenario says inbound, so the engineer might have misapplied it.
- B
The ACL is missing a deny statement for ICMP, so ICMP traffic is implicitly permitted.
Why wrong: Incorrect because ACLs have an implicit deny at the end, so ICMP would be denied.
- C
The ACL permits HTTP, but ping uses ICMP, which is not HTTP, so ping should be denied.
Why wrong: Incorrect because this would not explain why ping is allowed; it should be denied.
- D
The ACL is applied to the wrong interface; it should be applied to the interface connected to subnet 10.2.2.0/24.
Why wrong: Incorrect because applying the ACL to the interface connected to 10.1.1.0/24 is correct for filtering traffic from that subnet.
Quick Answer
The answer is that the ACL is most likely applied outbound on the interface, not inbound. When an ACL is applied inbound, it filters traffic as it enters the interface, meaning any packet arriving from subnet 10.1.1.0/24 is evaluated against the permit and deny statements before being routed. Since the configured ACL only permits HTTP (TCP port 80) and denies everything else, inbound application should block ICMP ping traffic. However, if the ACL is applied outbound, it only filters traffic leaving the interface, so ping packets from 10.1.1.0/24 would be routed normally and only filtered when exiting toward 10.2.2.0/24, which explains why they still reach their destination. On the ENCOR 350-401 exam, this tests your understanding of ACL application direction—a common trap where engineers misapply the ACL to the wrong interface side. A reliable memory tip is “inbound inspects arrivals, outbound checks departures”; always verify the direction relative to the traffic source.
350-401 ACLs and CoPP Practice Question
This 350-401 practice question tests your understanding of acls and copp. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A network engineer is configuring ACLs on a Cisco router to filter traffic between two subnets. The engineer wants to allow HTTP traffic from subnet 10.1.1.0/24 to subnet 10.2.2.0/24, but deny all other traffic. The engineer applies an ACL inbound on the interface connected to subnet 10.1.1.0/24. The ACL has a permit statement for TCP port 80 from 10.1.1.0/24 to 10.2.2.0/24, followed by a deny ip any any. However, hosts in subnet 10.1.1.0/24 can still ping hosts in subnet 10.2.2.0/24. What is the most likely reason?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering.
The correct answer is that the ACL only filters traffic entering the interface; ping traffic is also entering the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied inbound, it should block ping. The most likely reason is that the ACL is applied outbound on the interface, not inbound. Option B is incorrect because the ACL order is correct. Option C is incorrect because ICMP is not HTTP. Option D is incorrect because the ACL is applied to the interface, not the subnet.
Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering.
Why this is correct
Correct because if the ACL is applied outbound, it filters traffic leaving the interface; ping traffic from 10.1.1.0/24 to 10.2.2.0/24 would be leaving the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied outbound, the deny ip any any would block ping, so this might not be the issue. Actually, the most likely reason is that the ACL is applied outbound, but the scenario says inbound, so the engineer might have misapplied it.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
CIDR notation defines the prefix length.
- ✗
The ACL is missing a deny statement for ICMP, so ICMP traffic is implicitly permitted.
Why it's wrong here
Incorrect because ACLs have an implicit deny at the end, so ICMP would be denied.
- ✗
The ACL permits HTTP, but ping uses ICMP, which is not HTTP, so ping should be denied.
Why it's wrong here
Incorrect because this would not explain why ping is allowed; it should be denied.
- ✗
The ACL is applied to the wrong interface; it should be applied to the interface connected to subnet 10.2.2.0/24.
Why it's wrong here
Incorrect because applying the ACL to the interface connected to 10.1.1.0/24 is correct for filtering traffic from that subnet.
Common exam traps
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Detailed technical explanation
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Key takeaway
Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
What to study next
Got this wrong? Here's your next step.
Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related 350-401 subnetting questions on CIDR, address ranges, and subnet selection.
- →
ACLs and CoPP — study guide chapter
Learn the concepts, then practise the questions
- →
ACLs and CoPP practice questions
Targeted practice on this topic area only
- →
All 350-401 questions
2,015 questions across all exam domains
- →
ENCOR 350-401 study guide
Full concept coverage aligned to exam objectives
- →
350-401 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 350-401 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Architecture practice questions
Practise 350-401 questions linked to Architecture.
Enterprise Network Design practice questions
Practise 350-401 questions linked to Enterprise Network Design.
SD-Access Architecture practice questions
Practise 350-401 questions linked to SD-Access Architecture.
SD-WAN Architecture practice questions
Practise 350-401 questions linked to SD-WAN Architecture.
QoS Architecture practice questions
Practise 350-401 questions linked to QoS Architecture.
Virtualization practice questions
Practise 350-401 questions linked to Virtualization.
Network Function Virtualization practice questions
Practise 350-401 questions linked to Network Function Virtualization.
Virtual Machines and Hypervisors practice questions
Practise 350-401 questions linked to Virtual Machines and Hypervisors.
VRF and Path Isolation practice questions
Practise 350-401 questions linked to VRF and Path Isolation.
Infrastructure practice questions
Practise 350-401 questions linked to Infrastructure.
OSPF practice questions
Practise 350-401 questions linked to OSPF.
BGP practice questions
Practise 350-401 questions linked to BGP.
Practice this exam
Start a free 350-401 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 350-401 question test?
ACLs and CoPP — This question tests ACLs and CoPP — CIDR notation defines the prefix length..
What is the correct answer to this question?
The correct answer is: The ACL is applied outbound on the interface, not inbound, so it filters traffic leaving the interface, not entering. — The correct answer is that the ACL only filters traffic entering the interface; ping traffic is also entering the interface, but the ACL permits only HTTP, so ping should be denied. However, if the ACL is applied inbound, it should block ping. The most likely reason is that the ACL is applied outbound on the interface, not inbound. Option B is incorrect because the ACL order is correct. Option C is incorrect because ICMP is not HTTP. Option D is incorrect because the ACL is applied to the interface, not the subnet.
What should I do if I get this 350-401 question wrong?
Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related 350-401 subnetting questions on CIDR, address ranges, and subnet selection.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
CIDR notation defines the prefix length.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
3 more ways this is tested on 350-401
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Examine the following configuration snippet: interface GigabitEthernet0/1 ip access-group FILTER_IN in ! ip access-list extended FILTER_IN deny icmp any any echo permit ip any any What is the effect of this configuration?
medium- A.It blocks all ICMP traffic inbound on GigabitEthernet0/1.
- ✓ B.It blocks inbound ICMP Echo requests on GigabitEthernet0/1.
- C.It blocks all inbound traffic on GigabitEthernet0/1.
- D.It blocks outbound ICMP Echo requests on GigabitEthernet0/1.
Why B: The ACL denies ICMP Echo (ping) inbound on GigabitEthernet0/1 while permitting all other IP traffic.
Variation 2. Given the following configuration: ip access-list extended FILTER permit tcp any host 10.1.1.1 eq 22 permit icmp any any echo-reply ! interface GigabitEthernet0/4 ip access-group FILTER in What traffic is permitted?
medium- A.Only SSH traffic to 10.1.1.1 is permitted.
- ✓ B.SSH to 10.1.1.1 and ICMP Echo Reply are permitted.
- C.All ICMP traffic is permitted.
- D.Only traffic from host 10.1.1.1 is permitted.
Why B: The ACL permits TCP traffic to host 10.1.1.1 on port 22 (SSH) and ICMP Echo Reply messages from any source.
Variation 3. Review the ACL configuration: ip access-list extended TEST permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 deny ip any any ! interface GigabitEthernet0/3 ip access-group TEST in What is missing or incorrect?
medium- A.The ACL should use a wildcard mask of 255.255.255.0 instead of 0.0.0.255.
- ✓ B.The deny ip any any is redundant because ACLs have an implicit deny at the end.
- C.The ACL must be applied outbound to filter incoming traffic.
- D.The ACL should use the keyword 'established' to allow return traffic.
Why B: The ACL permits HTTP and HTTPS from 192.168.1.0/24 to any destination, but denies all other traffic. The configuration is syntactically correct.
Last reviewed: Jun 18, 2026
This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.