What is the purpose of an explicit "deny any" statement at the end of an ACL?
A.
none, since it is implicit
B.
to enable Cisco IOS IPS to work properly; however, it is the deny all traffic entry that is actually required
C.
to enable Cisco IOS Firewall to work properly; however, it is the deny all traffic entry that is actually required
D.
to allow the log option to be used to log any matches
E.
to prevent sync flood attacks
F.
to prevent half-opened TCP connections
Explanation:
As we know, there is always a deny all line at the end of each access-list to drop all other traffic that doesnt match any permit lines.
You can enter your own explicit deny with the log keyword to see what are actually blocked , like this:Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255
Router(config)# access-list 1 deny any logNote: The log keyword can be used to provide additional detail about source and destinations for a given protocol.
Although this keyword provides valuable insight into the details of ACL hits, excessive hits to an ACL entry that uses the log keyword increase CPU utilization.
The performance impact associated with logging varies by platform. Also, using the log keyword disables Cisco Express Forwarding (CEF) switching for packets that match the access-list statement.
Those packets are fast switched instead.