NET-230 (NetAcad Chapter 4)

7. Which scenario would cause an ACL misconfiguration and deny all traffic?

Apply an ACL that has all deny ACE statements.

Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.63 00111111 Match the first three octets Match the two left most bits of the last octet Ignore the last 6 bits

1. How many total ACLs (both IPv4 and IPv6) can be configured on an interface?

4

Standard ACLs

ACLs only filter at Layer 3 using the source IPv4 address only.

Factors Influencing ACL Placement The extent of organizational control

Explanation Placement of the ACL can depend on whether or not the organization has control of both the source and destination networks.

4. Where should an extended ACL be placed?

Extended ACLs should be located as close to the source as possible.

9. When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?​

remark

12. A college student is studying for the Cisco CCENT certification and is visualizing extended access lists. Which three keywords could immediately follow the keywords permit or deny as part of an extended access list? (Choose three.)

udp icmp tcp

Limit network traffic to increase network performance

A corporate policy prohibits video traffic on the network to reduce the network load. A policy can be enforced using ACLs to block video traffic.

Provide traffic flow control

A corporate policy requires that routing protocol traffic be limited to certain links only. A policy can be implemented using ACLs to restrict the delivery of routing updates to only those that come from a known source.

2. Which statement about ACLs is true?

Named ACLs can be standard or extended.

6. A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?

The ACL does not perform as designed.

14. Which operator is used in an ACL statement to match packets of a specific application?

eq

1. Which ACL is capable of filtering based on TCP port number?

extended ACL

13. If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?

permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap

8. In applying an ACL to a router interface, which traffic is designated as outbound?

traffic that is leaving the router and going toward the destination host

5. Which three statements describe ACL processing of packets? (Choose three.)

Each statement is checked only until a match is detected or until the end of the ACE list. A packet can either be rejected or forwarded as directed by the ACE that is matched. An implicit deny any rejects any packet that does not match any ACE.

4.4.3 Where to Place ACLs

Every ACL should be placed where it has the greatest impact on efficiency. The figure illustrates where standard and extended ACLs should be located in an enterprise network. Assume the objective to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. R2S0/1/0S0/1/0G0/0/0192.168.11.0/24192.168.10.10192.168.11.10192.168.30.12192.168.31.12192.168.30.0/24192.168.31.0/24S0/1/1S0/1/1G0/0/1192.168.10.0/24G0/0/0G0/0/1R1S1S2S3S4R3PC1PC3PC2 Standard ACLs are usually placed near the destination.Extended ACLs are usually placed near the source. Extended ACLs should be located as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure. Standard ACLs should be located as close to the destination as possible. If a standard ACL was placed at the source of the traffic, the "permit" or "deny" will occur based on the given source address no matter where the traffic is destined. Placement of the ACL and therefore, the type of ACL used, may also depend on a variety of factors as listed in the table.

1. Which wildcard mask would permit only host 10.10.10.1?

0.0.0.0

Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.0 00000000 Match all octets.

Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.15 00001111 Match the first three octets Match the four left most bits of the last octet Ignore the last 4 bits of the last octet

Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.252 11111100 Match the first three octets Ignore the six left most bits of the last octet Match the last two bits

4. Which wildcard mask would permit all hosts from the 192.168.10.0/24 network?

0.0.0.255

Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.255 11111111 Match the first three octet Ignore the last octet

2. Which wildcard mask would permit only hosts from the 10.10.0.0/16 network?

0.0.255.255

Factors Influencing ACL Placement Bandwidth of the networks involved

Explanation It may be desirable to filter unwanted traffic at the source to prevent transmission of bandwidth-consuming traffic.

11. Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?

10.120.160.0 to 10.120.167.255

2. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)

172.16.15.36 172.16.0.255

3. Which wildcard mask would permit all hosts?

255.255.255.255

4.1.3 ACL Operation

ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs can be configured to apply to inbound traffic and outbound traffic, as shown in the figure. Inbound ACL R1 Outbound ACL Note: ACLs do not act on packets that originate from the router itself. An inbound ACL filters packets before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the ACL, it is then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined. An outbound ACL filters packets after being routed, regardless of the inbound interface. Incoming packets are routed to the outbound interface and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface. When an ACL is applied to an interface, it follows a specific operating procedure. For example, here are the operational steps used when traffic has entered a router interface with an inbound standard IPv4 ACL configured. 1. The router extracts the source IPv4 address from the packet header. 2. The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a sequential order. 3. When a match is made, the router carries out the instruction, either permitting or denying the packet, and the remaining ACEs in the ACL, if any, are not analyzed. 4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded because there is an implicit deny ACE automatically applied to all ACLs. The last ACE statement of an ACL is always an implicit deny that blocks all traffic. By default, this statement is automatically implied at the end of an ACL even though it is hidden and not displayed in the configuration. Note: An ACL must have at least one permit statement otherwise all traffic will be denied due to the implicit deny ACE statement.

Extended ACLs

ACLs filter at Layer 3 using the source and / or destination IPv4 address. They can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information for finer control.

1. What are the permit or deny statements in an ACL called?

Access control entries

Factors Influencing ACL Placement Ease of configuration

Explanation It may be easier to implement an ACL at the destination, but traffic will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This would save bandwidth by filtering the traffic at the source, but it would require creating extended ACLs on multiple routers.

Guideline Base ACLs on the organizational security policies.

Benefit This will ensure you implement organizational security guidelines.

Guideline Document the ACLs using the remark command.

Benefit This will help you (and others) understand the purpose of an ACE.

Guideline Test the ACLs on a development network before implementing them on a production network.

Benefit This will help you avoid costly errors.

Guideline Write out what you want the ACL to do.

Benefit This will help you avoid inadvertently creating potential access problems.

Guideline Use a text editor to create, edit, and save all of your ACLs.

Benefit This will help you create a library of reusable ACLs.

4.2.3 Wildcard Mask Calculation

Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255. Refer to the examples to learn how to calculate the wildcard mask using the subnet mask. Click each button to see how to calculate each wildcard mask. Example 1 Assume you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask (i.e., 255.255.255.0) from 255.255.255.255, as shown in the table. The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE would be access-list 10 permit 192.168.3.0 0.0.0.255. Starting value 255.255.255.255 Subtract the subnet mask - 255.255.255. 0 Resulting wildcard mask 0. 0. 0.255 Example 2 In this example, assume you wanted an ACE in ACL 10 to permit network access for the 14 users in the subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240) from 255.255.255.255, as shown in the table. This solution produces the wildcard mask 0.0.0.15. Therefore, the ACE would be access-list 10 permit 192.168.3.32 0.0.0.15. Starting value 255.255.255.255 Subtract the subnet mask - 255.255.255.240 Resulting wildcard mask 0. 0. 0. 15 Example 3 In this example, assume you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and 192.168.11.0. These two networks could be summarized as 192.168.10.0/23 which is a subnet mask of 255.255.254.0. Again, you subtract 255.255.254.0 subnet mask from 255.255.255.255, as shown in the table. This solution produces the wildcard mask 0.0.1.255. Therefore, the ACE would be access-list 10 permit 192.168.10.0 0.0.1.255. Starting value 255.255.255.255 Subtract the subnet mask - 255.255.254. 0 Resulting wildcard mask 0. 0. 1.255 Example 4 Consider an example in which you need an ACL number 10 to match networks in the range between 192.168.16.0/24 to 192.168.31.0/24. This network range could be summarized as 192.168.16.0/20 which is a subnet mask of 255.255.240.0. Therefore, subtract 255.255.240.0 subnet mask from 255.255.255.255, as shown in the table. This solution produces the wildcard mask 0.0.15.255. Therefore, the ACE would be access-list 10 permit 192.168.16.0 0.0.15.255. Starting value 255.255.255.255 Subtract the subnet mask - 255.255.240. 0 Resulting wildcard mask 0. 0. 15.255

4.3.3 Check Your Understanding - Guidelines for ACL Creation

Check your understanding of ACL creation by choosing the BEST answer to the following questions.

4.1.5 Check Your Understanding - Purpose of ACLs

Check your understanding of the purpose of ACLs by choosing the BEST answer to the following questions.

4.4.6 Check Your Understanding - Types of IPv4 ACLs

Check your understanding of the types of IPv4 ACLs by choosing the BEST answer to the following questions.

4.2.5 Check Your Understanding - Wildcard Masks in ACLs

Check your understanding wildcard masks in ACLs by choosing the BEST answer to the following questions.

Provide a basic level of security for network access

Corporate policy demands that access to the Human Resources network be restricted to authorized users only. A policy can be enforced using ACLs to limit access to specified networks.

Screen hosts to permit or deny access to network services

Corporate policy requires that access to some file types (e.g., FTP or HTTP) be limited to user groups. A policy can be implemented using ACLs to filter user access to services.

Filter traffic based on traffic type

Corporate policy requires that email traffic be permitted into a network, but that Telnet access be denied. A policy can be implemented using ACLs to filter traffic by type.

Provide priority to certain classes of network traffic

Corporate traffic specifies that voice traffic be forwarded as fast as possible to avoid any interruption. A policy can be implemented using ACLs and QoS services to identify voice traffic and process it immediately.

4.4.5 Extended ACL Placement Example

Extended ACL should be located as close to the source as possible. This prevents unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination. However, the organization can only place ACLs on devices that they control. Therefore, the extended ACL placement must be determined in the context of where organizational control extends. In the figure, for example, Company A wants to deny Telnet and FTP traffic to Company B's 192.168.30.0/24 network from their 192.168.11.0/24 network while permitting all other traffic. R2R1S1S2S3S4R3PC1PC3PC2PC4S0/1/0G0/0/0192.168.11.0/24192.168.30.0/24192.168.31.0/24S0/1/1G0/0/1192.168.10.0/24G0/0/0G0/0/1S0/1/0S0/1/1 Examines all traffic before exiting R1 S0/1/0.Examines traffic only from 192.168.11.0/24.Company ACompany BBlock FTP and Telnet traffic from 192.168.11.0/24 to 192.168.30.0/24. There are several ways to accomplish these goals. An extended ACL on R3 would accomplish the task, but the administrator does not control R3. In addition, this solution allows unwanted traffic to cross the entire network, only to be blocked at the destination. This affects overall network efficiency. The solution is to place an extended ACL on R1 that specifies both source and destination addresses. There are two possible interfaces on R1 to apply the extended ACL: R1 S0/1/0 interface (outbound) - The extended ACL can be applied outbound on the S0/1/0 interface. However, this solution will process all packets leaving R1 including packets from 192.168.10.0/24. R1 G0/0/1 interface (inbound) - The extended ACL can be applied inbound on the G0/0/1 and only packets from the 192.168.11.0/24 network are subject to ACL processing on R1. Because the filter is to be limited to only those packets leaving the 192.168.11.0/24 network, applying the extended ACL to G0/1 is the best solution.

4.4.4 Standard ACL Placement Example

Following the guidelines for ACL placement, standard ACLs should be located as close to the destination as possible. In the figure, the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. R2S0/1/0G0/0/0192.168.11.0/24192.168.30.0/24192.168.31.0/24S0/1/1G0/0/1192.168.10.0/24G0/0/0R1S1S2S3S4R3PC1PC3PC2S0/1/0S0/1/1PC4G0/0/1 Site ASite BBlock all traffic from 192.168.10.0/24 to 192.168.30.0/24.Filters traffic from 192.168.10.0/24 to all destinations reachable by R3.Filters traffic from 192.168.10.0/24 only to 192.168.30.0/24. Following the basic placement guidelines, the administrator would place a standard ACL on router R3. There are two possible interfaces on R3 to apply the standard ACL: R3 S0/1/1 interface (inbound) - The standard ACL can be applied inbound on the R3 S0/1/1 interface to deny traffic from .10 network. However, it would also filter .10 traffic to the 192.168.31.0/24 (.31 in this example) network. Therefore, the standard ACL should not be applied to this interface. R3 G0/0 interface (outbound) - The standard ACL can be applied outbound on the R3 G0/0/0 interface. This will not affect other networks that are reachable by R3. Packets from .10 network will still be able to reach the .31 network. This is the best interface to place the standard ACL to meet the traffic requirements.

Wildcard to Match a Host

In this example, the wildcard mask is used to match a specific host IPv4 address. Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1. Recall that "0" equals a match and "1" equals ignore. To match a specific host IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required. The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted IPv4 address. The 0.0.0.0 wildcard mask stipulates that every bit must match exactly. Therefore, when the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0. IPv4 address Decimal 192.168.1.1 Binary 11000000.10101000.00000001.00000001 Wildcard Mask Decimal 0.0.0.0 Binary 00000000.00000000.00000000.00000000 Permitted IPv4 Address Decimal 192.168.1.1 Binary 11000000.10101000.00000001.00000001

3. Which statement about the operation of a standard ACL is incorrect?

If there are no matching ACEs in the ACL, the packet is forwarded because there is an implicit permit ACE automatically applied to all ACLs.

Guidelines for ACL Creation 4.3.1 Limited Number of ACLs per Interface

In a previous topic, you learned about how wildcard masks are used in ACLs. This topic will focus on the guidelines for ACL creation. There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-stacked (i.e., IPv4 and IPv6) router interface can have up to four ACLs applied, as shown in the figure. Specifically, a router interface can have: one outbound IPv4 ACL one inbound IPv4 ACL one inbound IPv6 ACL one outbound IPv6 ACL R1192.168.10.1/242001:db8:acad:1::1/64 IPv4 (Outbound)IPv4 (Inbound)IPv6 (Inbound)IPv6 (Outbound) Assume R1 has two dual-stacked interfaces that require inbound and outbound IPv4 and IPv6 ACLs applied. As shown in the figure, R1 could have up to 8 ACLs configured and applied to interfaces. Each interface would have four ACLs; two ACLs for IPv4 and two ACLs for IPv6. For each protocol, one ACL is for inbound traffic and one for outbound traffic. Note: ACLs do not have to be configured in both directions. The number of ACLs and their direction applied to the interface will depend on the security policy of the organization. R1192.168.10.1/242001:db8:acad:1::1/64192.168.20.1/242001:db8:acad:2::1/64 IPv4 (Outbound)IPv4 (Outbound)IPv4 (Inbound)IPv4 (Inbound)IPv6 (Inbound)IPv6 (Inbound)IPv6 (Outbound)IPv6 (Outbound)

Wildcard Masks in ACLs 4.2.1 Wildcard Mask Overview

In the previous topic, you learned about the purpose of ACL. This topic explains how ACL uses wildcard masks. An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol. A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true. Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 - Match the corresponding bit value in the address Wildcard mask bit 1 - Ignore the corresponding bit value in the address The table lists some examples of wildcard masks and what they would identify.

4.1.4 Packet Tracer - ACL Demonstration

In this activity, you will observe how an access control list (ACL) can be used to prevent a ping from reaching hosts on remote networks. After removing the ACL from the configuration, the pings will be successful.

Wildcard Mask to Match an IPv4 Subnet

In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth octet does not. The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted IPv4 addresses. When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24 network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0 0.0.0.255. IPv4 address Decimal 192.168.1.1 Binary 11000000.10101000.00000001.00000001 Wildcard Mask Decimal 0.0.0.255 Binary 00000000.00000000.00000000.11111111 Permitted Host IPv4 Addresses Decimal 192.168.1.1 Binary 11000000.10101000.00000001.00000000 Permitted Host IPv4 Addresses Decimal 192.168.1.254 Binary 11000000.10101000.00000001.11111111

Wildcard Mask to Match an IPv4 Address Range

In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, ..., 192.168.31.0/24 networks. The wildcard mask 0.0.15.255 would correctly filter that range of addresses. The table lists in binary the host IPv4 address, the wildcard mask, and the permitted IPv4 addresses. The highlighted wildcard mask bits identify which bits of the IPv4 address must match. When processed, the wildcard mask 0.0.15.255 permits all hosts in the 192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.16.0 0.0.15.255. IPv4 address Decimal 192.168.16.0 Binary 11000000.10101000.00010000.00000000 Wildcard Mask Decimal 0.0.15.255 Binary 00000000.00000000.00001111.11111111 Permitted Host IPv4 Addresses Decimal 192.168.16.1 Binary 11000000.10101000.00010000.00000000 Permitted Host IPv4 Addresses Decimal 192.168.31.254 Binary 11000000.10101000.00011111.11111111

4.0.2 What will I learn to do in this module?

Module Title: ACL Concepts Module Objective: Explain how ACLs are used as part of a network security policy. Topic Title Purpose of ACLs Topic Objective Explain how ACLs filter traffic. Topic Title Wildcard Masks in ACLs Topic Objective Explain how ACLs use wildcard masks. Topic Title Guidelines for ACL Creation Topic Objective Explain how to create ACLs. Topic Title Types of IPv4 ACLs Topic Objective Compare standard and extended IPv4 ACLs.

4.4.2 Numbered and Named ACLs

Numbered ACLs ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs, as shown in the output. R1(config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list rate-limit Simple rate-limit specific access list template Enable IP template acls R1(config)# access-list Named ACLs Named ACLs is the preferred method to use when configuring ACLs. Specifically, standard and extended ACLs can be named to provide information about the purpose of the ACL. For example, naming an extended ACL FTP-FILTER is far better than having a numbered ACL 100. The ip access-list global configuration command is used to create a named ACL, as shown in the following example. R1(config)# ip access-list extended FTP-FILTER R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data R1(config-ext-nacl)# The following summarizes the rules to follow for named ACLs. Assign a name to identify the purpose of the ACL. Names can contain alphanumeric characters. Names cannot contain spaces or punctuation. It is suggested that the name be written in CAPITAL LETTERS. Entries can be added or deleted within the ACL.

4.1.2 Packet Filtering

Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and forwarding them or discarding them based on given criteria. Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure. OSI Model 7. Application 6. Presentation 5. Session 4. Transport Packet Filtering works at Layer 3 and Layer 4 3. Network 2. Data Link 1. Physical Cisco routers support two types of ACLs:

Module Practice and Quiz 4.5.1 What did I learn in this module?

Purpose of ACLs Several tasks performed by routers require the use of ACLs to identify traffic. An ACL is a series of IOS commands that are used to filter packets based on information found in the packet header. A router does not have any ACLs configured by default. However, when an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. An ACL uses a sequential list of permit or deny statements, known as ACEs. Cisco routers support two types of ACLs: standard ACLs and extended ACLs. An inbound ACL filters packets before they are routed to the outbound interface. If the packet is permitted by the ACL, it is then processed for routing. An outbound ACL filters packets after being routed, regardless of the inbound interface. When an ACL is applied to an interface, it follows a specific operating procedure: 1. The router extracts the source IPv4 address from the packet header. 2. The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a sequential order. 3. When a match is made, the router carries out the instruction, either permitting or denying the packet, and the remaining ACEs in the ACL, if any, are not analyzed. 4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded because there is an implicit deny ACE automatically applied to all ACLs. Wildcard Masks An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol. A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Wildcard mask bit 0 matches the corresponding bit value in the address. Wildcard mask bit 1 ignores the corresponding bit value in the address. A wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4 addresses. A shortcut to calculating a wildcard mask is to subtract the subnet mask from 255.255.255.255. Working with decimal representations of binary wildcard mask bits can be simplified by using the Cisco IOS keywords host and any to identify the most common uses of wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the ACE. Guidelines for ACL creation There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs applied. Specifically, a router interface can have one outbound IPv4 ACL, one inbound IPv4 ACL, one inbound IPv6 ACL , and one outbound IPv6 ACL. ACLs do not have to be configured in both directions. The number of ACLs and their direction applied to the interface will depend on the security policy of the organization. Basic planning is required before configuring an ACL and includes the following best practices: Base ACLs on the organizational security policies. Write out what you want the ACL to do. Use a text editor to create, edit, and save all of your ACLs. Document the ACLs using the remark command. Test the ACLs on a development network before implementing them on a production network. Types of IPv4 ACLs There are two types of IPv4 ACLs: standard ACLs and Extended ACLs. Standard ACLs permit or deny packets based only on the source IPv4 address. Extended ACLs permit or deny packets based on the source IPv4 address and destination IPv4 address, protocol type, source and destination TCP or UDP ports and more. ACLs number 1 -to 99, or 1300 to 1999, are standard ACLs. ACLs number 100-199, or 2000 to 2699, are extended ACLs. Named ACLs is the preferred method to use when configuring ACLs. Specifically, standard and extended ACLs can be named to provide information about the purpose of the ACL. The following summarizes the rules to follow for named ACLs: Assign a name to identify the purpose of the ACL. Names can contain alphanumeric characters. Names cannot contain spaces or punctuation. It is suggested that the name be written in CAPITAL LETTERS. Entries can be added or deleted within the ACL. Every ACL should be placed where it has the greatest impact on efficiency. Extended ACLs should be located as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure. Standard ACLs should be located as close to the destination as possible. If a standard ACL was placed at the source of the traffic, the "permit" or "deny" will occur based on the given source address no matter where the traffic is destined. Placement of the ACL may depend on the extent of organizational control, bandwidth of the networks, and ease of configuration.

Purpose of ACLs 4.1.1 What is an ACL?

Routers make routing decisions based on information in the packet header. Traffic entering a router interface is routed solely based on information within the routing table. The router compares the destination IP address with routes in the routing table to find the best match and then forwards the packet based on the best match route. That same process can be used to filter traffic using an access control list (ACL). An ACL is a series of IOS commands that are used to filter packets based on information found in the packet header. By default, a router does not have any ACLs configured. However, when an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. An ACL uses a sequential list of permit or deny statements, known as access control entries (ACEs). Note: ACEs are also commonly called ACL statements. When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. This process is called packet filtering. Several tasks performed by routers require the use of ACLs to identify traffic. The table lists some of these tasks with examples.

2. Which packet filtering statement is true?

Standard ACLs filter at Layer 3 only.

3. Where should a standard ACL be placed?

Standard ACLs should be placed as close to the destination as possible.

3. Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two.)

The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs. If an ACL contains no permit statements, all traffic is denied by default.

1. Which two conditions would cause a router to drop a packet? (Choose two.)

The packet source address does not match the source as permitted in a standard inbound ACE. No routing table entry exists for the packet destination, but the packet matches a permitted address in an outbound ACL.

Types of IPv4 ACLs 4.4.1 Standard and Extended ACLs

The previous topics covered the purpose of ACL and the guidelines for ACL creation. This topic will cover standard and extended ACLs, named and numbered ACLs, and the examples of placement of these ACLs. There are two types of IPv4 ACLs: Standard ACLs - These permit or deny packets based only on the source IPv4 address. Extended ACLs - These permit or deny packets based on the source IPv4 address and destination IPv4 address, protocol type, source and destination TCP or UDP ports and more. For example, refer to the following standard ALC command. R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)# ACL 10 permits hosts on the source network 192.168.10.0/24. Because of the implied "deny any" at the end, all traffic except for traffic coming from the 192.168.10.0/24 network is blocked with this ACL. In the next example, an extended ACL 100 permits traffic originating from any host on the 192.168.10.0/24 network to any IPv4 network if the destination host port is 80 (HTTP). R1(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq www R1(config)# Notice how the standard ACL 10 is only capable of filtering by source address while the extended ACL 100 is filtering on the source, and destination Layer 3, and Layer 4 protocol (i.e., TCP) information. Note: Full ACL configuration is discussed in another module.

4.3.2 ACL Best Practices

Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Basic planning is required before configuring an ACL. The table presents guidelines that form the basis of an ACL best practices list.

4.2.2 Wildcard Mask Types

Using wildcard masks will take some practice. Refer to the examples to learn how the wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4 addresses. Click each button to see how the wildcard mask is used in ACLs.

Introduction 4.0.1 Why should I take this module?

Welcome to ACL Concepts! You have arrived at your grandparents' residence. It is a beautiful gated community with walking paths and gardens. For the residents safety, no one is permitted to get into the community without stopping at the gate and presenting the guard with identification. You provide your ID and the guard verifies that you are expected as a visitor. He documents your information and lifts the gate. Imagine if the guard had to do this for the many staff members that entered each day. They have simplified this process by assigning a badge for each employee to automatically raise the gate once the badge is scanned. You greet your grandparents who are anxiously awaiting you at the front desk. You all get back into the car to go down the street for dinner. As you exit the parking lot, you must again stop and show your identification so that the guard will lift the gate. Rules have been put in place for all incoming and outgoing traffic. Much like the guard in the gated community, network traffic passing through an interface configured with an access control list (ACL) has permitted and denied traffic. The router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. This process is called packet filtering. Let's learn more!

4.2.4 Wildcard Mask Keywords

Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the Cisco IOS provides two keywords to identify the most common uses of wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the ACE. The two keywords are: host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address. any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses. For example, in the command output, two ACLs are configured. The ACL 10 ACE permits only the 192.168.10.10 host and the ACL 11 ACE permits all hosts. R1(config)# access-list 10 permit 192.168.10.10 0.0.0.0 R1(config)# access-list 11 permit 0.0.0.0 255.255.255.255 R1(config)# Alternatively, the keywords host and any could have been used to replace the highlighted output. The following commands accomplishes the same task as the previous commands. R1(config)# access-list 10 permit host 192.168.10.10 R1(config)# access-list 11 permit any R1(config)#

2. Which of the following is an ACL best practice?

Write the ACL before configuring it on the router.

10. Which location is recommended for extended numbered or extended named ACLs?

a location as close to the source of traffic as possible

4. What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0

access-list 10 permit 192.168.16.0 0.0.3.255