Which priority is most important when you plan out access control lists?
A.
Build ACLs based upon your security policy.
B.
Always put the ACL closest to the source of origination.
C.
Place deny statements near the top of the ACL to prevent unwanted traffic from passing
through the router.
D.
Always test ACLs in a small, controlled production environment before you roll it out into the
larger production network.
Explanation:
Packet filtering can help limit network traffic and restrict network use by certain users or devices.
ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing
specified interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that
apply to packets. When a packet is received on an interface, the switch compares the fields in the
packet against any applied ACLs to verify that the packet has the required permissions to be
forwarded, based on the criteria specified in the access lists. One by one, it tests packets againstthe conditions in an access list. The first match decides whether the switch accepts or rejects the
packets. Because the switch stops testing after the first match, the order of conditions in the list is
critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch
forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all
packets it forwards, including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network.
If you do not configure ACLs, all packets passing through the switch could be allowed onto all
parts of the network. You can use ACLs to control which hosts can access different parts of a
network or to decide which types of traffic are forwarded or blocked at router interfaces. For
example, you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be
configured to block inbound traffic, outbound traffic, or both.
Depending on your security policy, the Layer 3 ACLs can be as simple as not allowing IP traffic
from the non-voice VLANS to access the voice gateway in the network, or the ACLs can be
detailed enough to control the individual ports and the time of the day that are used by other
devices to communicate to IP Telephony devices. As the ACLs become more granular and
detailed, any changes in port usage in a network could break not only voice but also other
applications in the network.
Reference:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/security.html#p
gfId-1045388