Cisco Lvl4=>Chap5 [ACL(1+2)]

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

what are the 2 main tasks in applying ACLs

1. Create an ACL # or name and specify access conditions 2. Group (or assign) the ACL to interfaces or vty lines

how do you verify ACLs

#show startup-config #show access-lists [ <number> | <NAME> ]

An ACL is a ...... list of permit / deny statements

- An ACL is a sequential list of permit or deny statements

what are some ACL best practices

- Base ACLs on security policy - Write a description of ACL's function (pseudocode) - Use a text editor to create, edit and save the ACL - Test the ACL on a development network first

define packet filtering

- Controls access by analyzing packets and passing/stopping based on some rules

what are the two rules that apply when considering placement of ACLs

- Extended ACLs as close as possible to the source o Undesirable traffic is filtered before crossing network - Standard ACLs as close to the destination as possible o Because they do not specify a destination address

what is the ACL syntax

- Fig)# access-list {num} deny | permit {IPnum [wildcard] } o E. G. fig)# access-list 10 permit 192.168.10.1

what happens when a packet and an ACL statement match / does not match

- If a packet and an ACL statement match, the rest of the list is skipped and the packet is permitted or denied - If the packet does not match and ACL statement, a final implied statement covers all conditions

what are 3 things that ACLs do

- Limit network traffic to increase network performance (ie. policy blocking video traffic) - Provide traffic flow control - Provide a basic level of security for network access

where should you place most frequently used entries

- Most frequently used entries should be at the top of the list

what are the "3 Ps"

- Only one ACL per protocol, per direction, per interface - A router with 2 interfaces and running c4 & v6 could possibly require 8 separate ACLs

what is the Standard ACL # range and Extended ACL # range

- Standard ACLs use numbers: 1 - 99 & 1300 - 1999 - Extended ACLs use numbers 100 - 199 & 2000 - 2699

what is the final implied statement

- This final condition matches all packets and results in an "implicit deny any" or "deny all traffic" statement - An ACL without at least 1 permit will block all traffic!

how do you remove an ACL

- To remove the ACL --> fig)# no access-list {num}

what are some ACL guidelines on placement and configuration

- Use ACLs in firewall/border routers and between internal networks and the outside - Use ACLs between areas to control traffic entering/exiting - Configure ACLs for each network protocol (IPv4, v6, etc) and in each direction (in/out)

how do you block all incoming traffic, except for established connections; and where is this ACL placed

...... permit tcp any host x.x.x.x eq 80 est o Only HTTP (TCP) packets w/ ACK or RST are permitted o Placed inbound from Internet

how do you apply Extended ACLs

> Apply extended ACL to block traffic through the router > Users who want access are blocked until they Telnet or SSH to the router and are authenticated > The SSH conn is then dropped and a single-entry dynamic ACL is added to the extended ACL

what happens when a packet passes an interface with an ACL

> As packets pass an interface with an ACL, the ACL is checked top to bottom, 1 line at a time, looking for a match

ACLs are configured for either ......... or ........ traffic

ACLs are configured for either inbound or outbound traffic

what attributes can Extended ACLs check for

ACLs first filter on source IP, port and protocol and then on the destination IP, port and protocol and then check for permit/deny

what is ACL and some characteristics of it

Access Control Lists > Are lists of instructions that permit or deny specific packets > Enforce security policies by controlling traffic into or out of a network > They can be based on IPs, ports, or a variety of protocols

what is the extended ACL syntax

Access-list # permit | deny prot src wldC [op #] dest wldC op #

how do you create a named ACL

Fig)# ip access-list standard | extended <NAME>

characteristics of extended ACLs

Filter based on protocol type, source and destination IP, source and destination ports and other parameters

when are inbound packets processed

Inbound packets processed before they are routed --> saves overhead of routing lookups

where are new ACL statements added (in the list)

New ACL statements are always added to the end > You cannot selectively insert or delete lines

how are outbound packets processed

Outbound - Incoming packets are routed to the outbound interface and then processed through the ACL

what are the two main types of Cisco ACLs

Standard ACLs, Extended ACLs

when would you use the remark keyword while placing ACLs

The remark keyword is used for documentation Fig)# access-list {num} remark {comments} (≤ 100 characters)

what protocol should you use when trying to allow/disallow all traffic

To permit or deny all traffic use ip (not

what are the keywords for ping and ping reply

deny icmp any host 10.93.105.1 echo-reply (type code 0) ---> deny icmp any host 10.93.105.1 0 o echo request = type code 8 = "echo"

what are the logical operators

eq, neq, gt & lt

what are the possible protocol codes

ip, tcp, udp, icmp, etc.

how do you apply an ACL to an interface (syntax)

o -if)# ip access-group {ACL-num} | {ACL-name} in | out [log]

what is the syntax and best practice while applying ACLs to vty lines (Telnet SSH)

o -line)# access-class <num> in | out o Best practice for vty ACLs = standard ACLs - IN only

what are the two mask keywords and what do they stand for

o 0.0.0.0 (to match one host IP address exactly) --- HOST o 255.255.255.255 (to accept and IP address at all) --- ANY

what are the tree categories of complex ACLs and purposes of each

o Dynamic - Lock and key - uses Telnet authentication o Reflexive - Allow outbound traffic, and inbound only in response to outbound o Time-based - Allows access based on the time of day/week

characteristics of Standard ACLs

o Permit of deny traffic from source IP addresses ONLY! o The destination IP and ports involved are NOT checked

what are some different ways to write deny tcp any host 10.93.105.1 eq 23

o deny tcp quad0 quad255 host 10.93.105.1 eq 23 o deny tcp any 10.93.105.1 0.0.0.0 eq 23 o deny tcp any host 10.93.105.1 eq telnet


Kaugnay na mga set ng pag-aaral

Drunkenness and Alcoholism: Chapter 9

View Set

Software Engineering 9 - Sommerville - Chapter 3

View Set