Which of the following statements are TRUE regarding Cisco access lists? (Choose two.)
A.
In an inbound access list, packets are filtered as they enter an interface.
B.
In an inbound access list, packets are filtered before they exit an interface.
C.
Extended access lists are used to filter protocol-specific packets.
D.
Youmust specify a deny statement at the end of each access list to filter unwanted traffic.
E.
When a line is added to an existing access list, it is inserted at the beginning of the access
list.
Explanation:
In an inbound access list, packets are filtered as they enter an interface. Extended access lists
are used to filter protocol specific packets. Access lists can be used in a variety of situations
when the router needs to be given guidelines for decision-making. These situations include:
Filtering traffic as it passes through the router
Tocontrol access to the VTY lines (Telnet)
Toidentify “interesting” traffic to invoke Demand Dial Routing (DDR) calls
Tofilter and control routing updates from one router to another
There are two types of access lists, standard and extended. Standard access lists are applied as
close to the destination as possible (outbound), and can only base their filtering criteria on the
source IP address. The number used while creating an access list specifies the type of access list
created. The range used for standard access lists is 1 to 99 and 1300 to 1999. Extended access
lists are applied as close to the source as possible (inbound), and can base their filtering criteria
on the source or destination IP address, or on the specific protocol being used. The range used
for extended access lists is 100 to 199 and 2000 to 2699.
Other features of access lists include:
Inbound access lists are processed before the packet is routed.
Outbound access lists are processed after the packet has been routed to an exit interface.
An “implicit deny” is at the bottom of every access list, which means that if a packet has not
matched any preceding access list condition, it will be filtered (dropped).
Access lists require at least one permit statement, or all packets will be filtered (dropped).
One access list may be configured per direction for each Layer 3 protocol configured on an
interface The option stating that in an inbound access list, packets are filtered before they exit
an interface is incorrect.
Packets are filtered as they exit an interface when using an outbound access list.
The option stating that a deny statement must be specified at the end of each access list in
order to filter unwanted traffic is incorrect. There is an implicit deny at the bottom of every
access list.
When a line is added to an existing access list, it is not inserted at the beginning of the access
list. It is inserted at the end. This should be taken into consideration. For example, given the
following access list, executing the command access-list 110 deny tcp 192.168.5.0 0.0.0.255 any
eq www would have NO effect on the packets being filtered because it would be inserted at the
end of the list, AFTER the line that allows all traffic.
access-list 110 permit ip host 192.168.5.1 any
access-list 110 deny icmp 192.168.5.0 0.0.0.255 any echo
access-list 110 permit any any