You have configured a BYOD implementation at a branch location, including an extended ACL named
DEFAULTACL on the Layer 2 ports of each access switch. BYOD clients are able to obtain IP addresses, but
connectivity to other network services seems to be sporadic or nonexistent, depending on the service.
You issue the show ip accesslist command on the switch and receive the following partial output:
Extended IP access list DEFAULTACL
10 permit icmp any any
20 permit udp any eq bootpc any eq bootpc
30 permit udp any any eq tftp
40 deny ip any any log
According to Cisco BYOD best practices, which of the following should you perform on the ACL to fix the
problem? (Select the best answer.)

A.
Add a rule to permit DNS traffic before rule 40.

B.
Add a rule to deny ICMP traffic after rule 40.

C.
Add a rule to deny TFTP traffic after rule 40.

D.
Remove rule 40.

Explanation:
According to Cisco best practices, you should add a rule to permit Domain Name System (DNS) traffic before
rule 40 in the access control list (ACL) that has been applied to the Layer 2 ports of the access switch. In a
Bring Your Own Device (BYOD) environment, 802.1X, Web Authentication (WebAuth), or Media Access
Control (MAC) Authentication Bypass (MAB) are used to authenticate and authorize the user and the user’s
associated device for network access. Once a wired device authenticates with the Cisco Identity Services
Engine (ISE), a downloadable ACL (dACL) is typically applied to the appropriate access port on the Layer 2
switch to which the device is attached. Cisco recommends applying a default ACL to the access ports of Layer
2 switches to mitigate situations where a configuration error might prevent a dACL from being applied to the
appropriate port during the authorization/authentication process. The default ACL should permit Bootstrap
Protocol (BOOTP), DNS, Trivial File Transfer Protocol (TFTP), and Internet Control Message Protocol (ICMP).
In addition, the default ACL should explicitly deny and log all other IP traffic. For example, the following ACL
complies with Cisco’s best common practices (BCP) as outlined in the BYOD Design Guide:
switch(config)#ip accesslist extended DEFAULTACL switch(configextnacl)#permit icmp any any
switch(configextnacl)#permit udp any eq bootpc any eq bootps switch(configextnacl)#permit udp any any eq
domain switch(configextnacl)#permit udp any any eq tftp switch(configextnacl)#deny ip any any log
You do not need to add any rules after rule 40 in this scenario. In addition, you should not remove rule 40 from
the ACL in this scenario. Rule 40 denies and logs all IP traffic that has not already been matched by the
preceding rules. Both ICMP traffic and TFTP traffic should be and already are permitted by the ACL.

Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location