What is the purpose of an explicit “deny any” statement at the end of an ACL?
A.
none, since it is implicit
B.
to enable Cisco lOS IPS to work properly; however, it is the deny all traffic entry that is actually
required
C.
to enable Cisco lOS Firewall to work properly; however, it is the deny all traffic entry that is
actually required
D.
to allow the log option to be used to log any matches
E.
to prevent sync flood attacks
F.
to prevent half-opened TCP connections
Explanation:
As we know, there is always a “deny all” line at the end of each access-list to drop all other traffic
that doesn’t match any “permit” lines. You can enter your own explicit deny with the “log” keyword
to see what are actually blocked, like this:
Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255
Router(config)# access-list 1 deny any log
Note: The log keyword can be used to provide additional detail about source and destinations for a
given protocol. Although this keyword provides valuable insight into the details of ACL hits,
excessive hits to an ACL entry that uses the log keyword increase CPU utilization. The
performance impact associated with logging varies by platform. Also, using the log keyword
disables Cisco Express Forwarding (CEF) switching for packets that match the access-list
statement. Those packets are fast switched instead.