According to the branch location ACL design guidelines in the Cisco BYOD Design Guide, which protocols
should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch? (Select 2choices.)

A.
BOOTP

B.
DNS

C.
HTTP

D.
HTTPS

E.
ICMP

F.
TFTP

Explanation:
According to the branch location access control list (ACL) design guidelines in the Cisco Bring Your Own
Device (BYOD) Design Guide, Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) should not be
permitted by the default ACL that is applied to the access ports of a Layer 2 switch. In a BYOD environment,
802.1X, Web Authentication (WebAuth), or Media Access Control (MAC) Authentication Bypass (MAB) are
used to authenticate and authorize the user and the user’s associated device for network access. Once a wired
device authenticates with the Cisco Identity Services Engine (ISE), a downloadable ACL (dACL) is typically
applied to the appropriate access port on the Layer 2 switch to which the device is attached. HTTP and HTTPS
traffic should be permitted by an ACL that is used to redirect web traffic to the ISE for browserbased
authentication if 802.1x or MAB authentication are unavailable. Cisco recommends denying Domain Name
System (DNS) traffic or specifically excluding the IP address of the ISE to prevent redirection loops. For
example, the following ACL denies DNS traffic and permits HTTP and HTTPS traffic for redirection to the ISE:
switch(config)#ip accesslist extended REDIRECT-ACL
switch(configextnacl)#deny udp any any eq domain
switch(configextnacl)#permit tcp any any eq www
switch(configextnacl)#permit tcp any any eq 443
Cisco recommends applying a default ACL to the access ports of Layer 2 switches to mitigate against situations
where a configuration error might prevent a dACL from being applied to the appropriate access port during the
authorization/authentication process. The default ACL should permit Bootstrap Protocol (BOOTP), DNS, Trivial
File Transfer Protocol (TFTP), and Internet Control Message Protocol (ICMP). In addition, the default ACL
should explicitly deny and log all other IP traffic. For example, the following ACL complies with Cisco’s best
common practices (BCP) as outlined in the BYOD Design Guide:
switch(config)#ip accesslist extended DEFAULT-ACL
switch(configextnacl)#permit icmp any any
switch(configextnacl)#permit udp any eq bootpc any eq bootps
switch(configextnacl)#permit udp any any eq domain
switch(configextnacl)#permit udp any any eq tftp
switch(configextnacl)#deny ip any any log

Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location