Which statement about an access control list that is applied to a router interface is true?
A. It only filters traffic that passes through the router.
B. It filters pass-through and router-generated traffic.
C. An empty ACL blocks all traffic.
D. It filters traffic in the inbound and outbound directions.
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov- gdl.html
The Order in Which You Enter Criteria Statements
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
Note that each additional criteria statement that you enter is appended to the end of the access list statements.
Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.
The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.
If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.
Apply an Access Control List to an Interface
With some protocols, you can apply up to two access lists to an interfacE. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.
If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet. If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
Note
Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.
The access list check is bypassed for locally generated packets, which are always outbound. By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.