According to the branch location ACL design guidelines in the Cisco BYOD Design Guide, which protocols should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch? (Select 2 choices.)

Last Updated on August 3, 2021 by Admin 3

According to the branch location ACL design guidelines in the Cisco BYOD Design Guide, which protocols should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch? (Select 2 choices.)

  • BOOTP
  • DNS
  • HTTP
  • HTTPS
  • ICMP
  • TFTP
Explanation:
According to the branch location access control list (ACL) design guidelines in the Cisco Bring Your Own Device (BYOD) Design Guide, Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch. In a BYOD environment, 802.1X, Web Authentication (WebAuth), or Media Access Control (MAC) Authentication Bypass (MAB) are used to authenticate and authorize the user and the user’s associated device for network access. Once a wired device authenticates with the Cisco Identity Services Engine (ISE), a downloadable ACL (dACL) is typically applied to the appropriate access port on the Layer 2 switch to which the device is attached. HTTP and HTTPS traffic should be permitted by an ACL that is used to redirect web traffic to the ISE for browserbased authentication if 802.1x or MAB authentication are unavailable. Cisco recommends denying Domain Name System (DNS) traffic or specifically excluding the IP address of the ISE to prevent redirection loops. For example, the following ACL denies DNS traffic and permits HTTP and HTTPS traffic for redirection to the ISE:

switch(config)#ip accesslist extended REDIRECT-ACL
switch(configextnacl)#deny udp any any eq domain
switch(configextnacl)#permit tcp any any eq www
switch(configextnacl)#permit tcp any any eq 443
Cisco recommends applying a default ACL to the access ports of Layer 2 switches to mitigate against situations where a configuration error might prevent a dACL from being applied to the appropriate access port during the authorization/authentication process. The default ACL should permit Bootstrap Protocol (BOOTP), DNS, Trivial File Transfer Protocol (TFTP), and Internet Control Message Protocol (ICMP). In addition, the default ACL should explicitly deny and log all other IP traffic. For example, the following ACL complies with Cisco’s best common practices (BCP) as outlined in the BYOD Design Guide:
switch(config)#ip accesslist extended DEFAULT-ACL 
switch(configextnacl)#permit icmp any any 
switch(configextnacl)#permit udp any eq bootpc any eq bootps 
switch(configextnacl)#permit udp any any eq domain 
switch(configextnacl)#permit udp any any eq tftp 
switch(configextnacl)#deny ip any any log
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments