Which characteristic of an SGT enforcement policy is true?

Posted by: Pdfprep Category: 300-208 Tags: , ,

Which characteristic of an SGT enforcement policy is true?
A . An SGFW has an implicit permit at the beginning.
B . An SGFW has an implicit deny at the end.
C . An SGACL has an implicit deny at the end.
D . An SGACL has an explicit deny at the beginning.

Answer: B

Explanation:

Unlike ACLs with an implicit deny at the end, Security Group ACLs (SGACLs) implemented on a switching platform have an implicit permit to Unknown or an implicit permit to all. This policy is not enforced on the Cisco ASA firewall or the Cisco IOS zone-based firewall acting as an SGFW, where an implicit deny is still maintained. On a switch, if no specific tag value is assigned to a server, the destination is considered Unknown and the packet is forwarded by default

Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf

Leave a Reply

Your email address will not be published.