Which characteristic of an SGT enforcement policy is true?
A . An SGFW has an implicit permit at the beginning.
B . An SGFW has an implicit deny at the end.
C . An SGACL has an implicit deny at the end.
D . An SGACL has an explicit deny at the beginning.
Answer: B
Explanation:
Unlike ACLs with an implicit deny at the end, Security Group ACLs (SGACLs) implemented on a switching platform have an implicit permit to Unknown or an implicit permit to all. This policy is not enforced on the Cisco ASA firewall or the Cisco IOS zone-based firewall acting as an SGFW, where an implicit deny is still maintained. On a switch, if no specific tag value is assigned to a server, the destination is considered Unknown and the packet is forwarded by default
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf
Leave a Reply