According to Cisco best practices, which of the following is true about the ideal application of an extended
access list? (Select the best answer.)
A.
It should be applied in the inbound direction on the interface that is as close to the destination aspossible.
B.
It should be applied in the outbound direction on the interface that is as close to the destination aspossible.
C.
It should be applied in the inbound direction on the interface that is as close to the source as possible.
D.
It should be applied in the outbound direction on the interface that is as close to the source as possible.
Explanation:
According to Cisco best practices, extended access control lists (ACLs) should be applied in the inbound
direction on the interface that is as close to the source as possible. ACLs are used to identify traffic. Once
identified, the traffic can then be filtered, analyzed, forwarded, or influenced in various ways. ACLs can be
identified by an access list number or an access list name. Numbered ACLs ranging from 1 through 99 are
standard ACLs and can identify traffic based on only the source IP address. Numbered ACLs ranging from 100
through 199 are extended ACLs and can identify traffic based on source and destination IP addresses as well
as traffic type.
ACLs can consist of multiple access list statements, which are also known as access control entries (ACEs).
Packets are compared to each statement in sequence until a match is found. The permit and deny keywords
are used to indicate whether matching packets should be forwarded or dropped, respectively. If the packet does
not match any of the access list statements, the packet is dropped. This is called the implicit deny rule? all
traffic is dropped unless it is matched by one of the access list statements that is configured with the permit
keyword.
An ACL does not perform an action until it is applied to an interface. Only one ACL can be configured per
interface per direction. This means that a particular interface can be configured for one inbound and one
outbound ACL. According to Cisco best practices, extended IP ACLs should be placed as close as possible to
the source of traffic because extended ACLs have the ability to specify a destination IP address and port. By
contrast, standard ACLs should be placed as close to the destination network as possible because they can
filter addresses based on only the source IP address. If a standard ACL is placed too close to the source
network, it is possible that the limited granularity of the standard ACL could unintentionally cause legitimate
traffic to be filtered.Cisco: Configuring IP Access Lists: Apply ACLs