CCC NET 126 Chapter 9

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

True

A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface:

An IPv4 ACL and an IPv6 ACL cannot share the same name.

Can an IPv4 ACL have the same name as an IPv6 ACL?

Capitalizing ACL names is not required, but makes them stand out when viewing the running-config output. It also makes it less likely that you will accidentally create two different ACLs with the same name but with different uses of capitalization.

Capitalizing ACL names is not required, so why should you do it anyway?

Naming an ACL makes it easier to understand its function.

What is the advantage of naming an ACL?

ipv6 traffic-filter

What is the command used to apply an IPv6 ACL to an interface?

The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. Because of this implicit deny, an ACL that does not have at least one permit statement will block all traffic.

What is the last statement in every ACL?

These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4. Because IPv6 uses the Layer 3 service for neighbor discovery, IPv6 ACLs need to implicitly permit ND packets to be sent and received on an interface. Specifically, both Neighbor Discovery - Neighbor Advertisement (nd-na) and Neighbor Discovery - Neighbor Solicitation (nd-ns) messages are permitted.

What is the purpose of the two implicit permit statements?

Text editor, Sequence numbers

What two methods can be used to edit an extended ACL?

The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement.

Where can remark commands be placed in an ACL?

show ipv6 interface

Which command can be used to verify that an IPv6 ACL is configured on a specific interface and show if it's inbound or outbound?

show ip interface

Which command is used to verify the ACL on the interface and the direction in which it was applied?

show ip interface

Which command is used to verify the ACL on the interface?

255.255.252.0

Which of the following is the subnet mask for the wild card mask of 0.0.3.255?

Source and destination packet acknowledgement

Which of these choices is not an attribute that an extended ACL can filter?

49152-65535

private or dynamic port group

1024-49151

registered port group

12

A router with three interfaces and two network protocols (IPv4 and IPv6) can have as many as _______________ active ACLs.

True

A wildcard mask is often referred to as an inverse mask. The reason is that, unlike a subnet mask in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask the reverse is true.

sequentially

ACEs are processed _______________. Therefore, the order in which ACEs are entered is important.

Inbound ACLs - Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of the packets needed to be examined. Outbound ACLs - Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.

ACLs are configured to apply to inbound traffic or to apply to outbound traffic. Explain both in detail.

firewall

ACLs are often used in routers between internal and external networks to provide a _______________.

interface

ACLs can filter data traffic per protocol, per direction, and per _______________.

protocol

ACLs can filter traffic based on source/destination address, _______________, and port number.

True

ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.

False

ACLs will act on on packets that originate from the router itself.

Firewalls are hardware or software solutions that enforce network security policies.

According to the curriculum what is a firewall?

An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols.

According to the curriculum what is an ACL?

True

An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.

forward, drop

An Access Control List (ACL) controls whether the router will _______________ or _______________ packet traffic based on packet header criteria.

standard

Because these ACLs do not specify destination addresses, place them as close to the destination as possible. Placing this ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.

FIN

Concludes the session

SYN/ACK

Confirms the transfer is syncronized

One or the other.

Do extended ACLs require port numbers, port names, or both?

by analyzing the incoming and outgoing packets and passing or dropping them based on given criteria, such as the source IP address, destination IP addresses, and the protocol carried within the packet.

Explain how packet filtering, sometimes called static packet filtering, controls access to a network.

If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached.

Explain in detail the process or logic the packets follow for an inbound ACL.

Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped and is not tested against the ACEs. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer. f the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACEs that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.

Explain in detail the process or logic the packets follow for an outbound ACL.

Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. Configure ACLs on border routers, that is, routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. Configure ACLs for each network protocol configured on the border router interfaces.

Explain the guidelines for using ACLs.

To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.

Explain the two commands that are required to completely remove an ACL from a router?

A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.

Explain what a wildcard mask is.

If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACEs that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.

Explain what happens if there is an ACL applied to an outbound interface on a router.

The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match or only one host is matched. The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.

Explain what host and any indicate in an ACL.

Limit network traffic to increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Filter traffic based on traffic type. Screen hosts to permit or deny access to network services.

Explain what tasks ACLs perform when configured.

The remark keyword is used for documentation and makes access lists a great deal easier to understand.

Explain what the remark keyword used for.

before

For inbound ACLs, incoming packets are processed _______________ they are sent to the outbound interface.

after

For outbound ACLs, incoming packets are processed _______________ they are sent to the outbound interface.

Each remark is limited to 100 characters.

How many characters can be used in an ACL remark?

The prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.

IPv6 ACLs do not use wildcard masks. Explain what IPv6 does instead.

The prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.

IPv6 ACLs do not use wildcard masks. What is used to indicate how much of an IPv6 source or destination address should be matched?

The destination address, protocol, and port number.

Like a standard ACL, an extended ACL can filter traffic based on the source address. What else can an extended ACL filter traffic based on?

One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.

List and explain the three Ps.

From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions to determine if a packet is forwarded or dropped. Return to privileged EXEC mode with the end command.

List and explain the three basic steps to configure an IPv6 ACL.

Protocol type Source IPv4 address Destination IPv4 address Source TCP or UDP ports Destination TCP or UDP ports Optional protocol type information for finer control

List the attributes that extended ACLs filter IPv4 packets on.

In IPv4 there are two types of ACLs, standard and extended. Both types of ACLs can be either numbered or named ACLs.

List the types of IPv4 ACLs.

With IPv6, there is only one type of ACL, which is equivalent to an IPv4 extended named ACL.

List the types of IPv6 ACLs.

Source address Destination address Protocol Port numbers

List what extended ACLs can filter on.

extended

Locate these ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.

show access-lists

Once the ACL has been applied to an interface and some testing has occurred, the ___________________________command will show statistics for each statement that has been matched.

False

One way to calculate a wild card mask is to subtract the subnet mask from the ip address.

The additional numbers are referred to as expanded IP ACLs.

Standard ACLs can be numbered from 1 to 99, and 1300 to 1999. What is the second set of ACL numbers referred to as?

number, name

Standard and extended ACLs can be created using either a _______________________ or a ______________________ to identify the ACL and its list of statements.

SYN

Starts or synchronizes the session

This prevents unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination.

The basic rule for placing an extended ACL is to place it as close to the source as possible. Explain why.

False

The following example allows all traffic from the 192.168.30.0/24 network. Because of the implied allow any at the end, all other traffic is allowed with this ACL. access-list 10 permit 192.168.30.0.0.0.0.255

optimizes the search for a host ACL entry.

The host statements are listed first but not necessarily in the order that they were entered. The IOS puts host statements in an order using a special hashing function. The resulting order:

True

The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. Because of this implicit deny, an ACL that does not have at least one permit statement will block all traffic.

True

The most important reason to configure ACLs is to provide security for a network.

show running-config

The output from the ________________________________command includes all of the ACEs and remark statements.

The extent of the network administrator's control Bandwidth of the networks involved Ease of configuration

The placement of the ACL and the type of ACL used may also depend on what three other factors?

Using a Text Editor, Using the Sequence Number

There are two ways that a standard numbered ACL can be edited. These are:

deny ipv6 any any permit icmp any any nd-na permit icmp any any nd-ns

What are the three implicit statements as the end of every IPv6 ACL?

(100 to 199) and (2000 to 2699): Extended IP ACL

What are the two number ranges that can be assigned to extended ACLs?

(1 to 99) and (1300 and 1999): Standard IP ACL

What are the two number ranges that can be assigned to standard ACLs?

The two types of Cisco IPv4 ACLs are standard and extended.

What are the two types of Cisco IPv4 ACLs?

An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). ACEs are also commonly called ACL statements. ACEs can be created to filter traffic based on certain criteria such as: the source address, destination address, the protocol, and port numbers.

What are ACEs?

Wildcard masks are often referred to as an inverse mask.

What are Wildcard masks are often referred to as?

Names can contain alphanumeric characters. It is suggested that the name be written in CAPITAL LETTERS. Names cannot contain spaces or punctuation. Entries can be added or deleted within the ACL.

What are the requirements to use a name to identify an ACL?

Both named and numbered access lists can be applied to VTYs. Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.

What are two recommend practices when configuring access lists on VTYs?

At the end of every ACL is a statement is an implicit deny any statement.

What command is at the end of every ACL?

access-class command

What command is configured in line configuration mode restricts incoming and outgoing connections between a particular VTY and the addresses in an access list?

The clear access-list counters command. This command can be used alone or with the number or name of a specific ACL.

What command will clear the counters while testing an ACL?

Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated.

What do standard ACLs permit or deny?

This mask states that all IPv4 address bits must match or only one host is matched.

What does a 0.0.0.0 wildcard mask stipulate in an ACL?

The match must be for the first three octets, then any for the last octet.

What does a 0.0.0.255 wildcard mask stipulate in an ACL?

This mask says to ignore the entire IPv4 address or to accept any addresses.

What does a 255.255.255.255 wildcard mask stipulate in an ACL?

Allows you to define which IP addresses are allowed Telnet access to the router EXEC process.

What does restricting VTY access do?

Without the established parameter in the ACL statement, clients could send traffic to a web server, but not receive traffic returning from the web server.

What does the established parameter in an ACL specify?

TCP/UDP source port TCP/UDP destination port

What information can an ACL extract from the Layer 4 header?

All access lists on the router including both IPv4 and IPv6 ACLs.

What information does the show access-lists command display?

Source IP address Destination IP address ICMP message type

What information is extracted from the Layer 3 packet header by an ACL to evaluate network traffic?

One shortcut method is to subtract the subnet mask from 255.255.255.255.

What is a shortcut method to determine which addresses will match the wildcard mask?

To prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit ip any any statement is added. Without at least one permit statement in an ACL, all traffic on the interface where that ACL was applied would be dropped.

Why would an network administrator put a permit ip any any statement at the end of their ACL?

Wildcard mask bit 0 - Match the corresponding bit value in the address. Wildcard mask bit 1 - Ignore the corresponding bit value in the address.

Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. What rules do Wildcard masks use to match binary 1s and 0s, explain each.

True

Wildcard masks can make ACL statements either extremely general or extremely specific when filtering packets.

False

You can create only outbound ACLs. For inbound communication you need a firewall to restrict content.

Standard ACLs

_____________ can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated.

ACK

indicates that an expected segment was received

0-1023

well known port group


Ensembles d'études connexes

Chapter 1 Explore the Network CCNA1 - Routing & Switching Essentials

View Set

LabCE: Fundamentals of Hemostasis

View Set

Lesson 4: Electronegativity and Hybridization

View Set

N222: Assessments; cognitive, neurological and pain

View Set

[CHAPTER 1] 21st-Century Supply Chains

View Set

Network+ Guide to Networks, 8th Edition

View Set

AP World History Summer Assignment Period 2

View Set

Types of life insurance policies

View Set

Unit 4: Module 20, Social Cognition and Attitudes

View Set