Question 195 of 2,152
VRF-LitehardMultiple ChoiceObjective-mapped

ACL on VRF Interface: Why Management Access Fails

This 300-410 practice question tests your understanding of vrf-lite. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: vRF-lite. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Router R1 has an ACL applied to interface Gig0/0 in VRF-A that permits only specific management traffic. The ACL is: access-list 100 permit udp any any eq snmp, access-list 
100 permit tcp any any eq ssh, access-list 
100 deny ip any any. The router's SNMP and SSH services are configured globally. Management stations in the global table cannot reach the router's VRF interface IP. What is the root cause?

Quick Answer

The answer is that the ACL on the VRF interface is blocking management access because it lacks a permit statement for the management station’s source IP address. Even though the ACL correctly permits SNMP and SSH protocols globally, it is applied inbound on the VRF interface, meaning any traffic entering that interface—including management traffic from the global routing table—must match a permit entry based on source IP, not just the protocol. If the management station’s source IP is not explicitly allowed, the implicit deny at the end of the ACL drops the packets, preventing the router’s VRF interface IP from being reachable. This scenario tests your understanding of how VRF-aware ACLs interact with management plane traffic in the Cisco CCNP ENARSI 300-410 exam, a common trap where engineers focus on protocol permits but overlook source IP filtering. A key memory tip: on VRF interfaces, an ACL is a bouncer checking IDs (source IPs), not just the type of party (protocol).

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The management station must be in the same VRF.

The management station resides in the global routing table, while the VRF interface IP belongs to VRF-A. Without explicit route leaking between the global table and VRF-A, the router cannot forward traffic from the global table to the VRF interface IP. The ACL permits the required protocols (SNMP, SSH) from any source, so the issue is not the ACL. The root cause is that the management station must be in the same VRF or route leaking must be configured.

Key principle: VRF-lite

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL does not permit the source IP address of the management station, causing traffic to be denied.

    Why it's wrong here

    Incorrect. The ACL permits any source for SNMP and SSH, so the source IP is not the issue.

  • The ACL should be applied outbound on the VRF interface.

    Why it's wrong here

    Incorrect. The ACL direction (inbound vs outbound) does not affect this problem; the issue is routing between VRFs.

  • The management station must be in the same VRF.

    Why this is correct

    Correct. In VRF-Lite, by default, there is no inter-VRF routing. Management stations in the global table cannot reach a VRF interface IP unless route leaking is configured or the station is placed in the same VRF.

    Related concept

    VRF-lite

  • The ACL is missing a permit statement for the management station's source IP.

    Why it's wrong here

    Incorrect. The ACL does not need a permit for the source IP because it already uses 'any' for source in the permit statements.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Trap: Attribute the connectivity failure to the ACL because it is applied and has an explicit deny. However, the ACL actually permits the management traffic from any source. The real issue is the lack of inter-VRF routing.

Detailed technical explanation

How to think about this question

Treat this as a scenario question. Identify the problem, the constraint, and the best action. Then compare each option against those facts.

KKey Concepts to Remember

  • VRF-lite
  • Inbound ACL
  • Implicit Deny

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

VRF-lite

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

Visual reference

Source Router + ACL permit 10.0.0.0/8 deny any Server 10.0.0.5 ✓ 192.168.1.1 ✗ dropped ACLs evaluate top-down; first match wins — implicit deny all at end

What to study next

Got this wrong? Here's your next step.

Review vRF-lite, then practise related 300-410 questions on the same topic to reinforce the concept.

Related practice questions

Related 300-410 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 300-410 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 300-410 question test?

VRF-Lite — This question tests VRF-Lite — VRF-lite.

What is the correct answer to this question?

The correct answer is: The management station must be in the same VRF. — The management station resides in the global routing table, while the VRF interface IP belongs to VRF-A. Without explicit route leaking between the global table and VRF-A, the router cannot forward traffic from the global table to the VRF interface IP. The ACL permits the required protocols (SNMP, SSH) from any source, so the issue is not the ACL. The root cause is that the management station must be in the same VRF or route leaking must be configured.

What should I do if I get this 300-410 question wrong?

Review vRF-lite, then practise related 300-410 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

VRF-lite

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 300-410 practice questions

Last reviewed: Jun 18, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 300-410 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 300-410 exam.