When is “Deny all” policy an exception in Zone Based Firewall
A.
traffic traverses 2 interfaces in same zone
B.
traffic sources from router via self zone
C.
traffic terminates on router via self zone
D.
traffic traverses 2 interfaces in different zones
E.
traffic terminates on router via self zone
Explanation:
BD
+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the router
directly (the destination IP represents the packet is for the router), the router automatically considers that traffic
to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving the self zone.
By default, any traffic to or from the self zone is allowed, but you can change this policy.
+ For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.
+ For interfaces that are members of the same zone, all traffic is permitted by default.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380