What is the purpose of an explicit "deny any" statement at the end of an ACL?
A.
none, since it is implicit
B.
to enable Cisco IOS IPS to work properly; however, it is the deny all traffic entry that is actually required
C.
to enable Cisco IOS Firewall to work properly; however, it is the deny all traffic entry that is actually required
D.
to allow the log option to be used to log any matches
E.
to prevent sync flood attacks
F.
to prevent half-opened TCP connections
Explanation:
As we know, there is always a deny all line at the end of each access-list to drop all other traffic that doesnt match any permit lines.
You can enter your own explicit deny with the log keyword to see what are actually blocked , like this:Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255
Router(config)# access-list 1 deny any logNote: The log keyword can be used to provide additional detail about source and destinations for a given protocol.
Although this keyword provides valuable insight into the details of ACL hits, excessive hits to an ACL entry that uses the log keyword increase CPU utilization.
The performance impact associated with logging varies by platform. Also, using the log keyword disables Cisco Express Forwarding (CEF) switching for packets that match the access-list statement.
Those packets are fast switched instead.
As we know, there is always a “deny all” line at the end of each access-list to drop all other traffic that doesn’t match any “permit” lines. You can enter your own explicit deny with the “log” keyword to see what are actually blocked , like this:
Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255
Router(config)# access-list 1 deny any log
Note: The log keyword can be used to provide additional detail about source and destinations for a given protocol. Although this keyword provides valuable insight into the details of ACL hits, excessive hits to an ACL entry that uses the log keyword increase CPU utilization. The performance impact associated with logging varies by platform. Also, using the log keyword disables Cisco Express Forwarding (CEF) switching for packets that match the access-list statement. Those packets are fast switched instead.
Shouldn’t the answer be “E”. The deny all statement would block TCP sync floods from IP address that you don’t want connecting into your network. Why would someone say the answer is “D.” That’s not the purpose of the deny all statement…
Nevermind, I understand the question. I was think they were talking about the implicit or existing “deny all” statement at the end of the ACL. Yeah, the reason you would use an explicit deny all statment is to log messages…ok, i get it. I guess if the question itself was explicit or more clearer then they would practically give the answer away.
Nevermind, I understand the question. I was thinking they were talking about the implicit or existing “deny all” statement at the end of the ACL. Yeah, the reason you would use an explicit deny all statment is to log messages…ok, i get it. I guess if the question itself was explicit or more clearer then they would practically give the answer away.
Current exam has completely different set of questions.