nerdexam
Exams200-301Questions#48
CiscoCisco

200-301 · Question #48

200-301 Question #48: Real Exam Question with Answer & Explanation

The correct answer is D: config t ip access-list extended wwwblock permit ip any any deny tcp any host 10.30.0.100 eq 80 int vlan 20 ip access-group wwwblock in. Option D correctly places the deny statement before permit ip any any and applies the ACL to interface vlan 20 inbound — the exact VLAN whose traffic needs to be blocked. Cisco ACLs process rules top-down and stop at the first match, so denying HTTP to the web server first, the

Submitted by tunde_lagos· Mar 5, 2026IP Connectivity

Question

Refer to the exhibit. A network engineer must block access for all computers on VLAN 20 to the web server via HTTP. All other computers must be able to access the web server. Which configuration when applied to switch A accomplishes this task? A. B. C. D.

Options

  • Aconfig t ip access-list extended wwwblock permit ip any any deny tcp any host 10.30.0.100 eq 80 int vlan 20 ip access-group wwwblock in
  • Bconfig t ip access-list extended wwwblock permit ip any any deny tcp any host 10.30.0.100 eq 80 int vlan 30 ip access-group wwwblock in
  • Cconfig t ip access-list extended wwwblock deny tcp any host 10.30.0.100 eq 80 int vlan 10 ip access-group wwwblock in
  • Dconfig t ip access-list extended wwwblock permit ip any any deny tcp any host 10.30.0.100 eq 80 int vlan 20 ip access-group wwwblock in

Explanation

Option D correctly places the deny statement before permit ip any any and applies the ACL to interface vlan 20 inbound — the exact VLAN whose traffic needs to be blocked. Cisco ACLs process rules top-down and stop at the first match, so denying HTTP to the web server first, then permitting everything else, achieves the precise goal.

Why the distractors fail:

  • A lists permit ip any any before the deny — since ACLs match top-down, all traffic is immediately permitted and the deny line is never reached, making it completely ineffective.
  • B has the same permit-before-deny ordering flaw as A, and is also applied to vlan 30 rather than vlan 20, targeting the wrong segment entirely.
  • C applies the ACL to vlan 10 (wrong VLAN) and omits the permit ip any any statement, meaning the ACL's implicit deny any at the end would block all traffic from that interface, not just HTTP.

Memory tip: Think "Deny first, right VLAN, don't forget permit" — the deny must come before any broad permit, the ACL goes on the source VLAN (20, not 30 or 10), and you need an explicit permit ip any any at the end or non-HTTP traffic gets silently dropped by the implicit deny.

Topics

#Access Control Lists (ACLs)#Extended ACLs#VLANs#ACL Application

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 200-301 PracticeBrowse All 200-301 Questions