- A. In an inbound access list, packets are filtered as they enter an interface.
- B. In an inbound access list, packets are filtered before they exit an interface.
- C. Extended access lists are used to filter protocol-specific packets.
- D. You must specify a deny statement at the end of each access list to filter unwanted traffic.
- E. When a line is added to an existing access list, it is inserted at the beginning of the access list.
In an inbound access list, packets are filtered as they enter an interface. Extended access lists are used to filter protocol specific packets. Access lists can be used in a variety of situations when the router needs to be given guidelines for decision-making. These situations include:
Filtering traffic as it passes through the router
To control access to the VTY lines (Telnet)
To identify “interesting” traffic to invoke Demand Dial Routing (DDR) calls
To filter and control routing updates from one router to another
There are two types of access lists, standard and extended.
Standard access lists are applied as close to the destination as possible (outbound), and can only base their filtering criteria on the source IP address. The number used while creating an access list specifies the type of access list created. The range used for standard access lists is 1 to 99 and 1300 to 1999. Extended access lists are applied as close to the source as possible (inbound), and can base their filtering criteria on the source or destination IP address, or on the specific protocol being used. The range used for extended access lists is 100 to 199 and 2000 to 2699.
Other features of access lists include:
Inbound access lists are processed before the packet is routed.
Outbound access lists are processed after the packet has been routed to an exit interface.
An “implicit deny” is at the bottom of every access list, which means that if a packet has not matched any preceding access list condition, it will be filtered
(dropped). Access lists require at least one permit statement, or all packets will be filtered (dropped). One access list may be configured per direction for each
Layer 3 protocol configured on an interface The option stating that in an inbound access list, packets are filtered before they exit an interface is incorrect. Packets are filtered as they exit an interface when using an outbound access list. The option stating that a deny statement must be specified at the end of each access list in order to filter unwanted traffic is incorrect. There is an implicit deny at the bottom of every access list. When a line is added to an existing access list, it is not inserted at the beginning of the access list. It is inserted at the end. This should be taken into consideration. For example, given the following access list, executing the command access-list 110 deny tcp 192.168.5.0 0.0.0.255 any eq www would have NO effect on the packets being filtered because it would be inserted at the end of the list, AFTER the line that allows all traffic. access-list 110 permit ip host 192.168.5.1 any access-list 110 deny icmp 192.168.5.0 0.0.0.255 any echo access-list 110 permit any any