Which three statements about applying access control lists to a Cisco router are true? (Choose
three.)

A.
Place more specific ACL entries at the top of the ACL.

B.
Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce
“noise” on the network.

C.
ACLs always search for the most specific entry before taking any filtering action.

D.
Router-generated packets cannot be filtered by ACLs on the router.

E.
If an access list is applied but it is not configured, all traffic passes.

Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-
2mt/sec-acl-ov-gdl.html
The Order in Which You Enter Criteria Statements
Note that each additional criteria statement that you enter is appended to the end of the access list
statements.
Also note that you cannot delete individual statements after they have been created. You can only
delete an entire access list.
The order of access list statements is important! When the router is deciding whether to forward or
block a packet, the Cisco IOS software tests the packet against each criteria statement in the
order in which the statements were created. After a match is found, no more criteria statements
are checked.
If you create a criteria statement that explicitly permits all traffic, no statements added later will
ever be checked. If you need additional statements, you must delete the access list and retype it
with the new entries.
Apply an Access Control List to an Interface
With some protocols, you can apply up to two access lists to an interfacE. one inbound access list
and one outbound access list. With other protocols, you apply only one access list that checks
both inbound and outbound packets.

If the access list is inbound, when a device receives a packet, Cisco software checks the access
list’s criteria statements for a match. If the packet is permitted, the software continues to process
the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco
software checks the access list’s criteria statements for a match. If the packet is permitted, the
software transmits the packet. If the packet is denied, the software discards the packet.
Note
Access lists that are applied to interfaces on a device do not filter traffic that originates from that
device.
The access list check is bypassed for locally generated packets, which are always outbound.
By default, an access list that is applied to an outbound interface for matching locally generated
traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound
access list check.