If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
- permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
- deny udp any host 172.16.1.5 eq snmptrap
- deny tcp any any eq telnet
- permit ip any any
- permit udp any any range 10000 20000
- permit tcp 172.16.0.0 0.0.3.255 any established
Explanation: A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows:
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
deny udp any host 172.16.1.5 eq snmptrap
permit tcp 172.16.0.0 0.0.3.255 any established
deny tcp any any eq telnet
permit udp any any range 10000 20000
permit ip any any
Exam with this question: CCNA Security Chapter 4 Exam Answers
Exam with this question: Network Security ( Version 1) - Network Security 1.0 Modules 8-10: ACLs and Firewalls Group Exam Answers
Exam with this question: CCNA 3 v7 Module 4 Quiz - ACL Concepts
Please login or Register to submit your answer