Security - ACLs

¡Supera tus tareas y exámenes ahora con Quizwiz!

Create a standard ACL that permits IP addresses that are allowed to telnet, and place the list inbound on VTY lines

What is the best way to prevent telnet / ssh using access lists?

Named ACL

What type of ACL allows you to delete individual statements?

Begging of the line

Where do IPv4 ACL sequence numbers get displayed?

At the end of each line

Where do IPv6 ACL sequence numbers get displayed?

At the bottom of the list

Where do new entries added to an access list get placed?

As close to the source as possible (avoids traffic traversing the entire network just to be denied)

Where is the ideal placement for extended access lists?

As close to the destination as possible

Where is the ideal placement for standard access lists?

Extended Access List

A type of ACL that can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet including both source and destination IP addresses, the protocol field in the Network layer header, and the port number at the transport layer header.

Standard Access List

A type of ACL that uses only the source IP address in an IP packet as the condition test. These don't have the ability to distinguish between any types of IP traffic such as Web, Telnet, etc.

access-list 101 remark Block all HTTP Traffic

Command to add a comment to a numbered access list 101 saying "Block all HTTP Traffic"

ipv6 access-class (access-list-name)

Command to apply an IPv6 ACL to VTY lines

line vty 0 4 access-class (ACL #) (in / out)

Command to apply an access list to the VTY line

ip access-list (standard / extended ) (ACL # or Name)

Command to create a named access list

ip access-list standard [name]

Command to create a standard named ACL

ipv6 access-list (name)

Command to create an ipv6 ACL

ip access-list extended (name)

Command to created an extended named ACL

remark

Command to include comments as part of an access list

log (added the end of a line: access-list 110 deny tcp any any eq telnet log)

Command to show whenever an access-list line is hit

show access-list

Displays all access lists and their parameters configured on the router. Also shows statistics about how many times the line either permitted or denied a packet. This command does not show you which interface the list is applied on. Would show them all, including IPX or other types that may exist.

show ip interface

Displays which interfaces have access lists set on them.

100-199 or 2000-2699

Extended ACL range

10

If you do not specify a sequence number when adding an entry to a named access list, Cisco IOS incrememnts the sequence number by ___ for every statement you enter

established

Keyword added to the end of an extended ACL entry that allows TCP traffic to pass if the packet is a response to an outbound-initiated session. Only applies to inbound TCP

www

Keyword that can be used in an extended ACL instead of using tcp source address destination address eq 80 and tcp source address destination address eq 443

Inbound Access List

Method of filtering inbound packets on an interface

Outbound Access List

Method of filtering outbound packets on an interface

show access-list 110

Reveals only the parameters for access list 110. Again, this command will not reveal the specific interface the list is set on.

show ip access-list

Shows only the IP access lists configured on the router.

show running-config

Shows the access lists and the specific interfaces that have ACLs applied on them.

1-99 or 1300 - 1999

Standard ACL range

False (Packets are only compared to each line in sequential order until a match is made)

T or F A packet is compared to every line in an access list?

True

T or F A standard IPv6 ACL includes both source and destination address information, but not TCP, UDP, or ICPMv6 information.

False (ACL were designed to filter traffic going through the router)

T or F Access lists will filter traffic that has originated from a router?

True

T or F All packets will be discarded if they do not meet any of the lists's tests?

True

T or F Both numbered and named ACLs can be configured for standard ACLs as well as extended ACLs

False (IPv6 ACLs use only named ACLs)

T or F IPv6 ACLs use numbered and named ACLs

True

T or F You can only have one inbound and one outbound ACL per interface?

False (Remarks are only visible in the running-config)

T or F You can view remarks made within an access list by running the show access-list command?

False (more specific rules should be towards the top)

T or F You should organize your access lists so that the more specific tests are at the bottom?

Named Access List

Use a descriptive name or number for identification

Before being routed to the outbound interface

When are packets processed through an inbound access list?

After being routed to the outbound interface, and before being queued

When are packets processed through an outbound access list?

Command to create a standard access list

access-list (1-99) (deny/allow) (any, range, host)

ipv6 traffic-filter (access-list-name) (in/out)

command to apply an IPv6 ACL to an interface

ip access-list 12 permit host 172.16.4.13 line vty 0 15 access-class 12 in

commands to allow only 1 host remote access to the router

access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any int g0/0 ip access-group 1 out

commands to block traffic from 172.16.4.0, but allow all other traffic

Command to apply access list to an interface

int fa0/0 ip access-group (ACL #) (out / in)

host

keyword that can be used to specify a single device instead of using the 0.0.0.0 wildcard mask

any

the keyword that is the same as using an address of 0.0.0.0 255.255.255.255


Conjuntos de estudio relacionados

Bio 110 Chapter 16 Quiz Terms are Questions

View Set

11. The Commercial Package Policy

View Set

lesson 1: prewriting: persuasive writing

View Set

Biology: Diffusion, Osmosis and Active Transport

View Set

Fundamentals of Nursing Chapter 4 - Scenario

View Set