350-401 · Question #88
Refer to the exhibit. An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on t
The correct answer is A. Access control lists that are applied outbound to a router interface do not affect traffic that is. Explanation Option A is correct because on Cisco routers, outbound ACLs applied to an interface only filter traffic that is forwarded through that interface - they do not filter traffic that originates from the router itself (such as pings generated by the router's own processes)
Question
Refer to the exhibit. An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthernetO/O interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Which explanation of this behavior is true?
Exhibits
Options
- AAccess control lists that are applied outbound to a router interface do not affect traffic that is
- BOnly standard access control lists can block traffic from a source IP address.
- CAfter an access control list is applied to an interface, that interface must be shut and no shut for
- DThe access control list must contain an explicit deny to block traffic from the router
How the community answered
(37 responses)- A86% (32)
- B8% (3)
- C3% (1)
- D3% (1)
Explanation
Explanation
Option A is correct because on Cisco routers, outbound ACLs applied to an interface only filter traffic that is forwarded through that interface - they do not filter traffic that originates from the router itself (such as pings generated by the router's own processes). This is a fundamental ACL behavior: router-generated traffic bypasses outbound interface ACLs entirely, which is why the router can still ping hosts on the directly connected subnet despite the EGRESS ACL.
Why the distractors are wrong:
- B is incorrect because both standard and extended ACLs can block traffic based on source IP; the issue here is not the ACL type but where the traffic originates.
- C is incorrect because ACLs take effect immediately upon application - no interface shutdown/restart is required.
- D is incorrect because an explicit deny would only matter if traffic were actually being evaluated by the ACL, which router-originated traffic is not in this outbound scenario.
Memory Tip
Think of it this way: "Outbound ACLs are bouncers at the exit door - they only check guests passing through, not the bouncer themselves." Router-originated traffic (like pings) is the "bouncer," so it always gets through outbound ACLs unchecked.
Topics
Community Discussion
No community discussion yet for this question.

