14.8.2 Access Control Lists - claymation artwork

14.8.2 Access Control Lists Quiz

11 – 25 Questions 9 min

This 14.8.2 Access Control Lists quiz concentrates on ACL concepts such as permit and deny rules, evaluation order, wildcard masks, and placement on interfaces or resources. It suits intermediate network technicians, junior security analysts, and system administrators who want to sharpen practical skills in controlling traffic and protecting systems with ACLs.

Start Quiz Explore related quizzes

Part 1 — Questions

Answer each question on paper. Do not turn the page until you are ready to check your work.

In a router configuration, what is the primary purpose of an access control list (ACL)?

To monitor bandwidth usage on a link
To dynamically assign IP addresses to clients
To control which traffic is permitted or denied through an interface
To convert private IP addresses to public ones

An access control list can only contain deny statements, because all traffic is allowed by default.

True
False

Which statement best describes how a standard ACL makes its filtering decision?

It matches on application layer protocol names
It matches only on the source IP address of the packet
It matches on the destination IP address and TCP flags
It matches on source and destination IP addresses and transport ports

On most routers, ACL entries are evaluated from top to bottom and processing stops at the first matching entry.

True
False

Which statement accurately describes the implicit deny in an ACL?

It allows all traffic not explicitly matched by earlier entries
It silently drops any packet not matched by previous entries
It only applies to extended ACLs, not standard ACLs
It must be configured as the first line of every ACL

How does a host-based ACL, such as an operating system firewall rule set, primarily differ from a router-based ACL?

A host-based ACL can only filter outbound traffic
Router-based ACLs cannot filter by TCP or UDP ports
A host-based ACL controls traffic to and from a single device, while a router-based ACL controls transit traffic for multiple devices
Router-based ACLs are always stateful while host-based ACLs are always stateless

A network administrator is tuning an ACL. Which characteristics of ACL processing should they keep in mind? Select all that apply.

A.More specific entries should generally be placed before broader ones
B.If no entries match, the packet is automatically permitted
C.The order of entries does not affect the final decision
D.Entries are evaluated sequentially from top to bottom
E.An implicit deny is assumed at the end of the ACL

You need to block HTTP traffic from a specific source subnet to a web server, while allowing other traffic from that subnet. You choose an extended ACL. Where is the best place to apply this ACL?

On an inbound interface closest to the source subnet
On an outbound interface closest to the web server
On any outbound interface of the router
On an inbound interface closest to the web server

An ACL is applied outbound on the internet-facing interface: 1. deny tcp any any eq 80 2. permit ip 192.168.1.0 0.0.0.255 any Clients in 192.168.1.0/24 can ping external hosts but cannot browse websites. What explains this behavior?

The permit statement must use 'tcp' instead of 'ip'
The ACL should be applied inbound instead of outbound
The HTTP deny entry matches before the permit entry
The implicit deny is blocking HTTP for the subnet

10.

For best practice, standard ACLs are usually placed as close as possible to the destination, while extended ACLs are usually placed as close as possible to the source.

True
False

11.

On a router that supports extended ACLs, which fields can an extended ACL match on? Select all that apply.

A.Source IP address
B.Username of the remote user
C.MAC address learned on a switch port
D.Destination TCP or UDP port number
E.Protocol type such as TCP, UDP, or ICMP

12.

A router ACL currently contains these entries, evaluated in order: 1. permit ip any any 2. deny tcp any any eq 23 Telnet access should be blocked, but users can still open Telnet sessions. What is the best way to correct the ACL?

Reverse the order of source and destination in the Telnet deny entry
Add another deny Telnet entry to the bottom of the ACL
Move the Telnet deny entry above the permit all entry
Change the Telnet deny entry to a permit entry

13.

A server admin is hardening a web server that should only accept HTTPS from the internet and allow SSH from a specific management subnet. All other inbound traffic must be blocked. Which rules should appear in the host-based ACL? Select all that apply.

A.Deny all other inbound traffic to the server
B.Permit HTTPS from any source to the server
C.Permit SSH from the management subnet to the server
D.Permit HTTP from any source to the server
E.Permit all outbound traffic from the server

14.

Arrange the following phases in the recommended order when designing and deploying a new ACL on a router.

Put these in the correct order (write 1–5 beside each):

____Choose the appropriate ACL type and placement
____Write and review the ACL entries
____Test the ACL in a nonproduction environment
____Identify the traffic that must be allowed and denied
____Apply the ACL to the selected interface and direction

15.

You are configuring an extended ACL on the outbound internet interface of a router. Internal network 10.1.0.0/16 should be allowed to initiate HTTP and HTTPS sessions to any internet host, and all other outbound traffic from 10.1.0.0/16 should be denied. Which single ACL entry best meets this requirement?

Permit all TCP from 10.1.0.0/16 to any destination
Permit only HTTP and HTTPS from 10.1.0.0/16 to any destination
Permit all IP from any source to any destination
Permit only HTTP from any source to 10.1.0.0/16

16.

A security policy for subnet 192.168.10.0/24 states: - Users must be able to access internal DNS server 10.0.0.10 on UDP port 53. - Users must be able to reach an external web proxy at 203.0.113.5 on TCP port 3128. - All other outbound traffic from 192.168.10.0/24 must be denied. You are creating an outbound ACL on the LAN interface. Which ACL entries should be included to meet this policy? Select all that apply.

A.Permit UDP from 192.168.10.0/24 to 10.0.0.10 on port 53
B.Permit ICMP from 192.168.10.0/24 to any destination
C.Deny all IP from 192.168.10.0/24 to any destination
D.Permit TCP from 192.168.10.0/24 to 203.0.113.5 on port 3128
E.Permit all IP from 192.168.10.0/24 to any destination

17.

You suspect an ACL is blocking legitimate traffic on a router. Which troubleshooting step will most directly show which ACL entry is matching and dropping the packets in real time, assuming the platform supports it?

Increase the router's CPU priority for ACL processing
Enable routing protocol debugging
Enable logging on ACL deny entries and review the log messages
Check the interface error counters

Part 2 — Answer key

Compare your answers after you have finished Part 1.

In a router configuration, what is the primary purpose of an access control list (ACL)?
To control which traffic is permitted or denied through an interface
An access control list can only contain deny statements, because all traffic is allowed by default.
False
Which statement best describes how a standard ACL makes its filtering decision?
It matches only on the source IP address of the packet
On most routers, ACL entries are evaluated from top to bottom and processing stops at the first matching entry.
True
Which statement accurately describes the implicit deny in an ACL?
It silently drops any packet not matched by previous entries
How does a host-based ACL, such as an operating system firewall rule set, primarily differ from a router-based ACL?
A host-based ACL controls traffic to and from a single device, while a router-based ACL controls transit traffic for multiple devices
A network administrator is tuning an ACL. Which characteristics of ACL processing should they keep in mind? Select all that apply.
More specific entries should generally be placed before broader ones; Entries are evaluated sequentially from top to bottom; An implicit deny is assumed at the end of the ACL
You need to block HTTP traffic from a specific source subnet to a web server, while allowing other traffic from that subnet. You choose an extended ACL. Where is the best place to apply this ACL?
On an inbound interface closest to the source subnet
An ACL is applied outbound on the internet-facing interface: 1. deny tcp any any eq 80 2. permit ip 192.168.1.0 0.0.0.255 any Clients in 192.168.1.0/24 can ping external hosts but cannot browse websites. What explains this behavior?
The HTTP deny entry matches before the permit entry
For best practice, standard ACLs are usually placed as close as possible to the destination, while extended ACLs are usually placed as close as possible to the source.
True
On a router that supports extended ACLs, which fields can an extended ACL match on? Select all that apply.
Source IP address; Destination TCP or UDP port number; Protocol type such as TCP, UDP, or ICMP
A router ACL currently contains these entries, evaluated in order: 1. permit ip any any 2. deny tcp any any eq 23 Telnet access should be blocked, but users can still open Telnet sessions. What is the best way to correct the ACL?
Move the Telnet deny entry above the permit all entry
A server admin is hardening a web server that should only accept HTTPS from the internet and allow SSH from a specific management subnet. All other inbound traffic must be blocked. Which rules should appear in the host-based ACL? Select all that apply.
Deny all other inbound traffic to the server; Permit HTTPS from any source to the server; Permit SSH from the management subnet to the server
Arrange the following phases in the recommended order when designing and deploying a new ACL on a router.
Correct order: Identify the traffic that must be allowed and denied → Choose the appropriate ACL type and placement → Write and review the ACL entries → Test the ACL in a nonproduction environment → Apply the ACL to the selected interface and direction
You are configuring an extended ACL on the outbound internet interface of a router. Internal network 10.1.0.0/16 should be allowed to initiate HTTP and HTTPS sessions to any internet host, and all other outbound traffic from 10.1.0.0/16 should be denied. Which single ACL entry best meets this requirement?
Permit only HTTP and HTTPS from 10.1.0.0/16 to any destination
A security policy for subnet 192.168.10.0/24 states: - Users must be able to access internal DNS server 10.0.0.10 on UDP port 53. - Users must be able to reach an external web proxy at 203.0.113.5 on TCP port 3128. - All other outbound traffic from 192.168.10.0/24 must be denied. You are creating an outbound ACL on the LAN interface. Which ACL entries should be included to meet this policy? Select all that apply.
Permit UDP from 192.168.10.0/24 to 10.0.0.10 on port 53; Deny all IP from 192.168.10.0/24 to any destination; Permit TCP from 192.168.10.0/24 to 203.0.113.5 on port 3128
You suspect an ACL is blocking legitimate traffic on a router. Which troubleshooting step will most directly show which ACL entry is matching and dropping the packets in real time, assuming the platform supports it?
Enable logging on ACL deny entries and review the log messages

1In a router configuration, what is the primary purpose of an access control list (ACL)?

2An access control list can only contain deny statements, because all traffic is allowed by default.

True / False

3Which statement best describes how a standard ACL makes its filtering decision?

4On most routers, ACL entries are evaluated from top to bottom and processing stops at the first matching entry.

True / False

5Which statement accurately describes the implicit deny in an ACL?

6How does a host-based ACL, such as an operating system firewall rule set, primarily differ from a router-based ACL?

7A network administrator is tuning an ACL. Which characteristics of ACL processing should they keep in mind? Select all that apply.

Select all that apply

8You need to block HTTP traffic from a specific source subnet to a web server, while allowing other traffic from that subnet. You choose an extended ACL. Where is the best place to apply this ACL?

9An ACL is applied outbound on the internet-facing interface: 1. deny tcp any any eq 80 2. permit ip 192.168.1.0 0.0.0.255 any Clients in 192.168.1.0/24 can ping external hosts but cannot browse websites. What explains this behavior?

10For best practice, standard ACLs are usually placed as close as possible to the destination, while extended ACLs are usually placed as close as possible to the source.

True / False

11On a router that supports extended ACLs, which fields can an extended ACL match on? Select all that apply.

Select all that apply

12A router ACL currently contains these entries, evaluated in order: 1. permit ip any any 2. deny tcp any any eq 23 Telnet access should be blocked, but users can still open Telnet sessions. What is the best way to correct the ACL?

13A server admin is hardening a web server that should only accept HTTPS from the internet and allow SSH from a specific management subnet. All other inbound traffic must be blocked. Which rules should appear in the host-based ACL? Select all that apply.

Select all that apply

14Arrange the following phases in the recommended order when designing and deploying a new ACL on a router.

Put in order

1Choose the appropriate ACL type and placement

2Write and review the ACL entries

3Test the ACL in a nonproduction environment

4Identify the traffic that must be allowed and denied

5Apply the ACL to the selected interface and direction

15You are configuring an extended ACL on the outbound internet interface of a router. Internal network 10.1.0.0/16 should be allowed to initiate HTTP and HTTPS sessions to any internet host, and all other outbound traffic from 10.1.0.0/16 should be denied. Which single ACL entry best meets this requirement?

16A security policy for subnet 192.168.10.0/24 states: - Users must be able to access internal DNS server 10.0.0.10 on UDP port 53. - Users must be able to reach an external web proxy at 203.0.113.5 on TCP port 3128. - All other outbound traffic from 192.168.10.0/24 must be denied. You are creating an outbound ACL on the LAN interface. Which ACL entries should be included to meet this policy? Select all that apply.

Select all that apply

17You suspect an ACL is blocking legitimate traffic on a router. Which troubleshooting step will most directly show which ACL entry is matching and dropping the packets in real time, assuming the platform supports it?

Frequent Errors on 14.8.2 Access Control Lists Questions

Misunderstanding ACL Evaluation Order

Many learners forget that ACLs are processed from top to bottom and stop at the first match. They assume all matching lines apply. To avoid this, read each rule in sequence and check which rule would be hit first for the specific packet in the question.

Ignoring the Implicit Deny

A very common error is to think unspecified traffic is allowed. Standard and extended ACLs usually end with an implicit "deny any" line. Always ask what happens to traffic that does not match any explicit rule. If it is not clearly permitted, it is blocked.

Confusing Source and Destination Fields

Students often reverse source and destination addresses, especially on extended ACL questions. For example, traffic from the internal network to a web server is different from traffic from the web server to clients. Mark which side initiates the connection before choosing or writing a rule.

Wildcard Masks and Network Ranges

Another frequent mistake is treating wildcard masks like subnet masks. In wildcard masks, 0 means "must match" and 1 means "ignore". Double check simple pairs, such as 0.0.0.255 for a /24 network, before answering.

Incorrect ACL Placement or Direction

Learners sometimes forget to attach the ACL to the correct interface and direction in scenario questions. Identify where the sensitive resource sits and where traffic enters or leaves. Then decide if the ACL should be applied inbound or outbound on that interface.

14.8.2 Access Control Lists Quick Reference Sheet

Print tip: You can print this ACL reference sheet or save it as a PDF for offline study.

Core ACL Concepts

Access Control List (ACL): Ordered set of rules that define which traffic or users are permitted or denied.
Standard ACL: Matches based on source IP address only. Often numbered in a lower range on many platforms.
Extended ACL: Matches on source, destination, protocol, and ports. Used for precise control of traffic types.
Implicit deny: Any traffic that reaches the end of the ACL without a match is denied.

ACL Evaluation Rules

Packets or access requests enter the ACL at the first line.
Each entry is checked in order until a match occurs.
The first matching rule decides the action. Later rules are ignored.
If no rule matches, the implicit deny blocks the traffic or request.

Wildcard Mask Reminders

Wildcard mask bit 0 means the corresponding address bit must match.
Wildcard mask bit 1 means the corresponding address bit is ignored.
Common examples:

Network 192.168.1.0/24 → wildcard 0.0.0.255
Single host 10.0.0.5 → wildcard 0.0.0.0

Formula approach: wildcard = 255.255.255.255 minus subnet mask.

Placement Best Practices

Place extended ACLs close to the source of the traffic you want to control.
Place standard ACLs close to the destination of the traffic you want to protect.
Use the minimum number of rules that still meet the requirements.
Group similar permits together, then add specific denies as needed.

Quick Exam Checklist

Identify source, destination, protocol, and ports from the scenario.
Decide if a standard or extended ACL is required.
Choose correct wildcard masks for networks and hosts.
Order rules so that the most specific entries appear first.
Mentally trace one example packet through the ACL before finalizing your answer.

Worked ACL Configuration Example for 14.8.2

Scenario

Network 192.168.10.0/24 is an internal LAN. A web server at 203.0.113.10 hosts HTTP and HTTPS. Requirement: allow hosts in 192.168.10.0/24 to reach the web server on ports 80 and 443, but block all other traffic to that server. All other traffic on the router should remain unaffected.

Step 1: Extract Key Requirements

Source network: 192.168.10.0/24
Destination host: 203.0.113.10
Protocols and ports: TCP 80 (HTTP) and TCP 443 (HTTPS)
Action: Permit only those flows, deny other traffic to the server

Step 2: Choose ACL Type

The ACL needs to match on protocol and ports. This requires an extended ACL. A standard ACL would only filter by source IP, which would be too broad.

Step 3: Build the Rules

Permit HTTP from the LAN to the server.
Permit HTTPS from the LAN to the server.
Deny all other traffic to the server.

Conceptual example:

permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 80
permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 443
deny ip any host 203.0.113.10

Step 4: Check Order and Implicit Deny

Permits come before the deny. A packet from 192.168.10.5 to 203.0.113.10 on port 80 hits the first permit and is allowed. A packet to port 22 hits no permit and then matches the explicit deny. If the explicit deny were absent, the implicit deny at the end would still block it.

Step 5: Decide Placement

Apply this extended ACL close to the source LAN interface in the direction where traffic leaves the LAN toward the server. On exam questions, always state interface and direction, for example "inbound on LAN interface" or "outbound on LAN interface" depending on the diagram.

14.8.2 Access Control Lists Quiz FAQ

What does the 14.8.2 focus on in this access control lists quiz?

The 14.8.2 focus is on conceptual understanding of ACL behavior. That includes rule order, implicit deny, wildcard masks, and correct placement on interfaces or resources. The quiz targets intermediate learners who already know basic IP addressing and want more precise control skills.

How much networking knowledge should I have before taking this ACL quiz?

You should be comfortable with IP addresses, subnet masks, and basic routing ideas. Terms like source, destination, protocol, and port should already be familiar. If those fundamentals are solid, you can concentrate on interpreting ACL rules instead of struggling with basic terminology.

Does this quiz cover both standard and extended ACLs?

Yes. Questions cover standard ACLs that match on source addresses and extended ACLs that match on source, destination, protocol, and ports. Some items ask you to decide which type is suitable. Others ask you to predict what traffic a specific ACL will allow or block.

How can I improve at ACL scenario questions?

Start by underlining the required source, destination, protocol, and ports in each scenario. Sketch a quick path that traffic takes across interfaces. Then mentally trace a sample packet through each ACL rule in order and stop at the first match. This method reduces errors from rushing.

Which job roles benefit most from mastering these ACL concepts?

Network technicians, junior network engineers, and security analysts use ACLs to implement access policies on routers, switches, and firewalls. System administrators also apply ACL ideas to file systems and operating systems that support user and group based permissions.