Understanding implicit deny with outbound ACLs You configured: access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp access-list 110 deny tcp any eq 23 interface ethernet0 ip access-group 110 out What is the effective result on traffic leaving E0?
-
AEmail and Telnet will be allowed out E0.
-
BEmail and Telnet will be allowed in E0.
-
CEverything but email and Telnet will be allowed out E0.
-
DNo IP traffic will be allowed out E0.
-
EOnly Telnet will be blocked; all else is permitted out E0.
Answer
Correct Answer: No IP traffic will be allowed out E0.
Explanation
Introduction / Context:Cisco ACLs are processed top-down and terminate on the first match. If no lines match, an implicit deny any drops the packet. Many outages occur because engineers add only deny entries and forget a final permit line, unintentionally blocking all traffic. This question illustrates that behavior on an outbound ACL.
Given Data / Assumptions:
- ACL 110 has two explicit deny lines (SMTP from a /26 source block; Telnet from any source).
- The ACL is applied outbound on Ethernet0.
- No explicit permit statements follow.
Concept / Approach:
After evaluating all entries, if a packet does not match a permit statement, it hits the invisible final line deny ip any any. Since the list contains only deny entries and there is no subsequent permit, all traffic—whether SMTP/Telnet or anything else—will be dropped outbound.
Step-by-Step Solution:
Line 1 denies SMTP from 10.1.1.128/26 to any destination.Line 2 denies Telnet (tcp eq 23) from any source (destination unspecified in the prompt is commonly interpreted as any).Traffic not matching lines 1–2 continues down the list.End of list: implicit deny ip any any triggers, dropping all remaining traffic.Verification / Alternative check:
Use show access-lists 110 to watch counters. You will see denies increment, while all other traffic silently drops due to implicit deny (not counted on a specific line). Adding access-list 110 permit ip any any at the end would restore other traffic.
Why Other Options Are Wrong:
- Allowing email/Telnet or “everything but email and Telnet” assumes a final permit that does not exist.
- Inbound vs outbound confusion: the ACL is applied outbound.
- “Only Telnet blocked”: SMTP is also explicitly denied, and others are implicitly denied.
Common Pitfalls:
- Forgetting a final permit in restrictive ACLs.
- Misplacing direction (in vs out) and misinterpreting results.
Final Answer:
No IP traffic will be allowed out E0.