If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?

IT Questions BankCategory: CCNA SecurityIf the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice? 1ITExamAnswers Staff asked 4 months ago

If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?

  • permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
  • deny udp any host 172.16.1.5 eq snmptrap
  • deny tcp any any eq telnet
  • permit ip any any
  • permit udp any any range 10000 20000
  • permit tcp 172.16.0.0 0.0.3.255 any established

Explanation: A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows:
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
deny udp any host 172.16.1.5 eq snmptrap
permit tcp 172.16.0.0 0.0.3.255 any established
deny tcp any any eq telnet
permit udp any any range 10000 20000
permit ip any any

More Questions: CCNA Security Chapter 4 Exam Answers
More Questions: Network Security ( Version 1) – Network Security 1.0 Modules 8-10: ACLs and Firewalls Group Exam Answers


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments