Which three statements about applying access control lists to a Cisco router are true? (Choose three.)
A. Place more specific ACL entries at the top of the ACL.
B. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce “noise” on the network.
C. ACLs always search for the most specific entry before taking any filtering action.
D. Router-generated packets cannot be filtered by ACLs on the router.
E. If an access list is applied but it is not configured, all traffic passes.
Correct Answer: ADE
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15- 2mt/sec-acl-ov- gdl.html
The Order in Which You Enter Criteria Statements
Note that each additional criteria statement that you enter is appended to the end of the access list statements.
Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.
The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
are checked.
If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.
Apply an Access Control List to an Interface
With some protocols, you can apply up to two access lists to an interfacE. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.
If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet. If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
Note
Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.
The access list check is bypassed for locally generated packets, which are always outbound. By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.