Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

Access Control Lists Quiz: Test Your ACL and Switch Skills

Quick, free ACL quiz on real scenarios. Instant results with brief explanations.

Editorial: Review CompletedCreated By: Hadirah HumairahUpdated Aug 28, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
paper art network diagram switch list icons question marks on dark blue background ACL quiz

This access control lists quiz helps you practice ACL basics, order rules, and follow traffic through a switch. To go deeper on hardening, try the switch security configuration quiz. You can also review filtering concepts with the firewall technologies quiz or refresh fundamentals in the computer networking quiz.

What does ACL stand for in networking?
Advanced Configuration Level
Access Control List
Access Communication Layer
Authenticated Connection Link
ACL stands for Access Control List, which is a feature used on routers and switches to filter network traffic by defining rules that permit or deny packets. ACLs apply criteria such as IP addresses, protocols, or ports. They are a core component of network security and traffic management.
What is the default action at the end of an ACL if no match is found?
Forward the packet to CPU
Permit the packet
Log the packet
Deny the packet
By design, Cisco ACLs include an implicit "deny all" at the end of the list. This means that if a packet does not match any explicit permit statement, it is automatically denied. Administrators must explicitly permit the traffic they want to allow.
Which type of ACL filters traffic by source IP address only?
Standard ACL
Extended ACL
Named ACL
Reflexive ACL
Standard ACLs filter packets based solely on the source IP address. They are numbered from 1 - 99 and 1300 - 1999 in Cisco IOS. These ACLs are typically placed close to the destination to avoid blocking traffic unintentionally.
Which type of ACL can filter traffic by source, destination, protocol, and port?
Time-based ACL
Reflexive ACL
Extended ACL
Standard ACL
Extended ACLs allow filtering based on multiple criteria: source and destination IP addresses, protocol type (TCP, UDP, ICMP), and port numbers. They are numbered from 100 - 199 and 2000 - 2699 in Cisco IOS. Extended ACLs are usually placed close to the source to avoid unwanted traffic entering the network.
Which Cisco IOS command applies an ACL to an interface in the inbound direction?
ip access-group 100 in
ip access-list apply 100 in
interface access-list 100 in
access-group 100 in
The correct command to apply a numbered ACL to an interface in inbound direction is 'ip access-group in'. This binds the ACL to filter incoming packets on that interface. Without this command, the ACL has no effect.
An ACL entry of 'permit ip 192.168.1.0 0.0.0.255 any' allows which traffic?
All IP traffic from 192.168.1.0/24 to any destination
Only HTTP traffic from 192.168.1.0/24
Only ICMP traffic from 192.168.1.0/24
All traffic to 192.168.1.0/24 network
This ACL entry permits all IP protocols (tcp, udp, icmp, etc.) originating from the 192.168.1.0/24 subnet to any destination. The wildcard mask 0.0.0.255 matches all hosts in the /24. Extended qualifiers would be needed to restrict protocols or ports.
Which wildcard mask matches only the host 10.0.0.5?
0.0.0.1
255.255.255.255
0.0.0.0
0.0.0.255
A wildcard mask of 0.0.0.0 matches exactly one host, because all bits in the address must match. For host 10.0.0.5, the ACL entry would be 'permit ip host 10.0.0.5 any'. Larger masks allow ranges of addresses.
What happens if you place 'access-list 10 deny any' as the first entry?
It becomes an implicit permit all
All traffic is denied by default
Only ICMP is blocked
Nothing, ACL needs to be applied to interface
Creating an ACL entry does not affect packets until you apply the ACL to an interface with 'ip access-group'. Until applied, ACL entries are inactive. Once applied inbound or outbound, the first rule denies everything, followed by implicit deny if nothing matches.
Which two directions can you apply an ACL on an interface?
Global and Local
Inbound and Outbound
Left and Right
Northbound and Southbound
ACLs can be applied to the inbound or outbound traffic on an interface. Inbound filters traffic before routing, and outbound filters after routing. The direction is specified in the 'ip access-group in|out' command.
Where is the implicit deny statement in a Cisco ACL?
At the end of the ACL
At the top of the ACL
In the middle after half the entries
There is no implicit deny
Cisco ACLs automatically include an implicit deny any at the end. This means any packet not explicitly permitted by earlier statements is dropped. Administrators should add explicit permit statements for desired traffic.
What number range designates standard ACLs in Cisco IOS?
1 - 99
200 - 299
100 - 199
300 - 399
Standard IP ACLs use numbers 1 - 99 and the expanded range 1300 - 1999. These ACLs filter only by source IP. Extended ACLs use 100 - 199 and 2000 - 2699.
What device typically uses ACLs for packet filtering?
Router
Access Point only
Printer
Switch only
Routers use ACLs to permit or deny traffic between interfaces and networks. Many modern switches (layer 3) also support ACLs. ACLs enforce security policies by controlling packet flow.
What feature lets you reorder ACL entries without deleting them?
Sequence numbers
Access sets
Line editing
Entry grouping
You can assign or edit sequence numbers on ACL entries to insert new rules without removing existing ones. Commands like 'ip access-list standard 10' then '10 permit ...', '20 deny ...' set the order. This avoids retyping the ACL.
How many hosts are matched by the wildcard mask 0.0.0.3?
16
4
2
8
A wildcard mask of 0.0.0.3 covers 2 bits for host matching (binary 11), resulting in 2^2=4 addresses. For example, 192.168.1.0 0.0.0.3 matches .0 - .3. Wildcard masks invert subnet masks.
What is a named ACL?
An ACL on switches only
An IPv6-only ACL
An ACL identified by name instead of number
An ACL that is dynamically controlled by SNMP
Named ACLs allow you to assign a descriptive name to an ACL rather than relying on number ranges. With named ACLs, you can edit entries in place without retyping the entire list. They are supported for standard and extended IPv4 and IPv6 ACLs.
Which statement about extended ACLs is correct?
They automatically log denied packets
They can filter by protocol and port
They only support IPv6
They only filter by source address
Extended ACLs filter by source and destination IP, protocol type, and port numbers. They are highly granular, allowing precise traffic control. Logging can be enabled but isn't automatic.
Which command converts a numbered ACL to a named ACL?
rename access-list 10 SECURE
access-list 10 to named SECURE
no access-list 10
ip access-list convert 10 SECURE
On Cisco IOS, you can use 'ip access-list [standard|extended] NAME' to create or enter a named ACL and then manually re-create entries. Some platforms support 'rename access-list ' to convert automatically. Check platform documentation.
How would you allow only HTTP traffic from host 10.0.0.5 to network 192.168.2.0/24?
permit tcp host 10.0.0.5 192.168.2.0 0.0.0.255 eq 80
permit ip 10.0.0.5 0.0.0.0 192.168.2.0 0.0.0.255 80
permit tcp any any eq 80
permit udp host 10.0.0.5 any eq 80
The syntax for extended ACL matching HTTP (port 80) from a single host to a subnet is 'permit tcp host eq 80'. The wildcard of 0.0.0.255 matches the /24. Other options misuse order or protocol.
What is a dynamic ACL (lock-and-key)?
An ACL applied only during maintenance
An ACL generated by IKE
An ACL that auto-updates via SNMP
An ACL that requires explicit login to permit traffic
Dynamic ACLs, also called lock-and-key, deny traffic until a user authenticates via Telnet/HTTP, after which the router temporarily permits return traffic. It's a way to secure inbound connections requiring user credentials. Once idle timeout expires, the permit entry is removed.
What does the 'established' keyword do in an ACL entry?
Allows only outbound TCP with ACK or RST bits set
Logs established connections
Requires session setup synonyms
Permits UDP sessions automatically
The 'established' keyword matches TCP packets with the ACK or RST bit set, indicating they belong to an existing session initiated from inside. It's used in standard ACLs to permit return traffic only. It does not apply to UDP or ICMP.
Which command removes all entries from a named ACL?
no access-list NAME
ip access-list standard NAME
clear access-list NAME
no ip access-list standard NAME
To delete a named ACL and its entries, use 'no ip access-list [standard|extended] NAME'. This removes the entire ACL. You then must re-create it from scratch if needed.
What is a reflexive ACL?
A QoS policy
An IPv6 ACL only
An ACL that mirrors traffic to a monitor port
An ACL that dynamically creates entries for return traffic
Reflexive ACLs dynamically filter traffic based on upper-layer session information. When an outbound session is permitted, a reflexive entry is created allowing return traffic. The entries are removed when the session ends.
What is a time-based ACL feature?
Schedules router reloads
Applies ACL entries only at specified times
Logs timestamps for each packet
Extends ACLs to daylight savings time
Time-based ACLs allow you to define time ranges during which specific ACL entries are active. This enables administrators to permit or deny traffic on schedules (e.g., business hours). ACLs outside the time range follow the default behavior.
Which command sequence assigns a name and sequence numbers to a standard ACL?
access-list 1 SEC; 10 permit 192.168.0.0 0.0.0.255
named-acl SEC; seq 10 permit ...
ip access-group SEC in; seq 10
ip access-list standard SEC; 10 permit 192.168.0.0 0.0.0.255
Creating a named standard ACL with sequence numbers involves 'ip access-list standard NAME' then entering rules prefixed by sequence numbers (e.g., 10, 20). This lets you insert or delete entries easily.
How does an ACL affect the router's route lookup process?
It bypasses the routing table
It modifies the routing table entries
It filters after routing decision
It always prevents routing loops
ACLs applied inbound filter packets before the routing table lookup, and outbound filters after routing decisions but before forwarding. They do not alter route entries but control which packets are forwarded.
How do VLAN ACLs (VACLs) differ from router-based ACLs?
VACLs operate on switched traffic within a VLAN
VACLs replace router ACLs on WAN links
VACLs only filter routed packets
VACLs use SNMP to update dynamically
VLAN ACLs (VACLs) are implemented on Catalyst switches to filter traffic within a VLAN regardless of direction, unlike router ACLs which filter at Layer 3 routing boundaries. VACLs apply to all VLAN traffic, including inter-VLAN routed packets. They provide micro-segmentation without routing overhead.
What is the goal of ACL optimization?
Maximize logging verbosity
Convert all ACLs to named format
Randomize entry order for security
Minimize number of entries for performance
ACL optimization reduces the number of entries and eliminates redundant rules to improve processing efficiency and reduce TCAM/CPU usage. Techniques include merging ranges and eliminating overlaps. Optimized ACLs result in faster packet processing.
Which technique helps prevent IP spoofing at the network edge?
Disable CDP
Implement uRPF (Unicast Reverse Path Forwarding)
Use larger MTU sizes
Enable SNMPv1
Unicast Reverse Path Forwarding (uRPF) verifies the reachability of source IPs via the routing table, dropping packets that fail the check. This mitigates IP spoofing by ensuring legitimate source addresses. Cisco supports strict and loose modes.
What are reflexive ACL 'self' entries used for?
Prioritize VoIP packets
Log traffic matching certain criteria
Mirror packets to a monitoring device
Track outbound sessions to permit inbound replies
Reflexive ACL self-entries track outbound sessions by creating temporary rules that permit the corresponding inbound return traffic. When the session ends or times out, the entries are removed. This ensures stateful-like behavior on stateless ACLs.
What is Cisco CoPP (Control Plane Policing)?
A feature to police traffic to the router's control plane
A load-balancing protocol
A QoS method for VoIP only
A dynamic routing protocol
Control Plane Policing (CoPP) protects the router's CPU by rate-limiting and filtering packets destined to the control plane. It uses QoS ACLs and class maps to define policies. This helps mitigate DoS attacks targeting router protocols.
How can ACLs be used to help mitigate DoS attacks?
Filter known malicious traffic patterns at the edge
Automatically patch the OS
Disable all UDP traffic
Encrypt all incoming packets
By dropping suspicious or high-volume flows (e.g., UDP flooding, malformed packets) at the network edge ACLs reduce malicious traffic before it saturates internal links or devices. Rate limiting and specific deny statements help block attack vectors.
When would you choose a prefix-list over an ACL for route filtering?
When filtering IPv6 only
When filtering BGP routes by prefix length
When using CoPP
When filtering switch management traffic
Prefix-lists are optimized for BGP and OSPF route filtering based on network prefixes and prefix lengths. They are faster and more flexible than ACLs for routing protocols. They support ge and le modifiers for length ranges.
How do you monitor ACL hits and misses for troubleshooting?
Use SNMPv1 get-next
Check CPU utilization
Use 'show access-lists' to view hit counts
Use 'show ip route'
The 'show access-lists' command displays each ACL entry with its hit counter. Monitoring this helps verify whether traffic matches expected rules. Clearing counters with 'clear access-list counters' lets you measure fresh traffic.
What is a VRF-aware ACL?
An ACL for IPv6 only
An ACL that uses route-maps
An ACL that spans multiple routers
An ACL applied within a specific VRF context
VRF-aware ACLs reside in the context of a Virtual Routing and Forwarding instance, filtering traffic only within that VRF. They prevent leaks between VRFs. Commands like 'ip vrf NAME' then 'ip access-list' define them.
How does Cisco TrustSec differ from traditional ACLs?
Replaces BGP for large networks
Only encrypts traffic, no filtering
Is a quality-of-service framework
Uses Security Groups and SGT tags instead of IP-based rules
Cisco TrustSec implements role-based access control using Security Group Tags (SGTs) rather than relying solely on IP addresses. Policies are defined based on user or device roles. This simplifies management and enhances security in dynamic environments.
How can ACLs integrate with SNMP for dynamic updates?
ACLs natively poll SNMP for changes
Use SNMPv1 to rewrite ACL numbers
ACLs and SNMP cannot interact
Use SNMP traps to trigger TCL scripts that modify ACLs
You can configure SNMP traps to call Embedded Event Manager (EEM) or TCL scripts that adjust ACL entries dynamically based on network events. This allows automatic policy enforcement. Direct polling by ACLs is not supported.
0
{"name":"What does ACL stand for in networking?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does ACL stand for in networking?, What is the default action at the end of an ACL if no match is found?, Which type of ACL filters traffic by source IP address only?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand ACL Fundamentals -

    Through this ACL quiz, you'll identify the main types of access control lists and their core functions in securing network traffic.

  2. Apply ACL Rules to Real-World Scenarios -

    You'll learn to interpret and construct ACL entries to permit or deny traffic based on IP addresses, protocols, and ports.

  3. Analyze ACL and Switch Interactions -

    Gain insight into how ACLs operate on different switch architectures and how they impact packet forwarding and security.

  4. Configure Basic ACL Entries on Switches -

    Practice writing and implementing standard and extended ACLs on network switches to control inbound and outbound traffic.

  5. Troubleshoot Common ACL and Switch Issues -

    Develop strategies to diagnose and resolve typical ACL misconfigurations and switch-related problems.

  6. Evaluate ACL Performance and Best Practices -

    Assess ACL efficiency and learn recommended guidelines for maintaining optimal security and network switch operations.

Cheat Sheet

  1. ACL Types & ID Ranges -

    Review the difference between standard (1 - 99) and extended (100 - 199) IPv4 ACLs as defined in Cisco documentation. For example, use access-list 10 permit 192.168.1.0 0.0.0.255 for a standard ACL and access-list 120 permit tcp any host 10.0.0.5 eq 443 for an extended rule. A good mnemonic is "Standard's Simple, Extended's Exact" to ace your acl quiz and network switch quiz prep.

  2. First-Match Logic & Implicit Deny -

    Understand that ACLs are processed top-down with a hidden "deny all" at the end, so order matters in your access-lists. If a packet matches an earlier line, the router takes that action and ignores the rest, which is critical for acl questions on your exams. Try placing specific "deny" statements before broader "permit" entries to avoid accidental access.

  3. Wildcard Masks vs Subnet Masks -

    Wildcard masks form the backbone of ACL matching by inverting subnet bits - use 0 to match and 1 to ignore, such as 0.0.0.255 to specify an entire /24 network. Unlike subnet masks, wildcard masks allow flexible host and network selections; for example, 0.0.0.3 matches only the first four IPs in a /24 range. Remember "Zero Means Match" when solving acl and switch questions sections.

  4. Applying ACLs on Layer 3 Switches -

    For a network switch quiz, know that you apply ACLs to VLAN interfaces with ip access-group <ACL_number> in or out, restricting traffic at the switch level. Cisco VACLs (VLAN ACLs) can filter both routed and bridged traffic using the same extended ACL syntax for consistent security policies. Practice configuring ip access-group 100 in interface Vlan10, then verify with show ip interface vlan10 to cement your switch quiz skills.

  5. Verification Commands & Testing -

    Master commands like show access-lists, show ip interface, and debug ip packet detail to verify your ACL behavior and spot mismatches. Simulate traffic in Packet Tracer or use real pings with the log option (e.g., access-list 100 deny ip any any log) for hands-on insight. Consistent testing will boost confidence for acl questions and ensure you can troubleshoot on the spot during your acl quiz and switch quiz.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Computers & IT Quizzes

Powered by: Quiz Maker