Cisco II | Ch. 7, Access Control Lists
It denies all traffic
A single-entry ACL with only one deny entry has what effect?
access control entries (ACEs)
An ACL is a sequential list of permit or deny statements, known as ____.
ACL statements
Another name for access control entries is _______________.
0.0.0.63
Calculate the wildcard mask for 192.168.100.0/26
0.0.3.255
Calculate the wildcard mask for IP 10.0.0.1/22
no access-list 20
Enter the command to remove access-list 20.
access-list 1 permit any
Enter the command using a keyword to substitute the IPv4 address 0.0.0.0 with a wildcard mask of 255.255.255.255 on access-list 1.
one
How many ACLs can you have per interface?
access-list ip access-list
Numbered ACLs use the global configuration command ___________, whereas named IPv4 ACLs use the __________ command.
show access-lists
To view an individual access list use the _____________ command followed by the access list number or name.
True.
True or False? ACLs can filter traffic based on traffic type.
show running-config | include access-list 10
What command would you use to view only access-list information for access-list 10?
wildcard mask
A ______________ is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
B. The ACL does not perform as designed.
A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction? A. All traffic is denied. B. The ACL does not perform as designed. C. The ACL will analyze traffic after it is routed to the outbound interface. D. All traffic is permitted.
B. Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255 D. Router(config)# access-list 95 permit any
A network administrator is writing a standard ACL that will deny any traffic from the 172.16.0.0/16 network, but permit all other traffic. Which two commands should be used? (Choose two.) A. Router(config)# access-list 95 deny any B. Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255 C. Router(config)# access-list 95 deny 172.16.0.0 255.255.0.0 D. Router(config)# access-list 95 permit any E. Router(config)# access-list 95 host 172.16.0.0 F. Router(config)# access-list 95 172.16.0.0 255.255.255.255
A. Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0 E. Router1(config)# access-list 10 permit host 192.168.15.23
A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.) A. Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0 B. Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.255 C. Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.255 D. Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.0 E. Router1(config)# access-list 10 permit host 192.168.15.23
Access Control List (ACL)
An ___ permits or denies traffic through a router based on specific defined criteria.
inbound
An __________ACL is efficient because it saves the overhead of routing lookups if the packet is discarded.
B. R1(config-line)# access-class 1 in
An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL? A. R1(config-if)# ip access-group 1 out B. R1(config-line)# access-class 1 in C. R1(config-line)# access-class 1 out D. R1(config-if)# ip access-group 1 in
ip access-group TEST_ACL out
Assume you're already in the correct interface. Apply your ACL named Test_ACL to the interface and specify that the ACL should be applied only for outgoing packets.
enable configure terminal line vty 0 4 login local transport input ssh access-class 45 in exit access-list 45 permit 192.168.0.0 0.0.0.255 access-list 45 deny any
Complete the following instructions starting from USER EXEC mode (or complete 7.2.3.1 Figure 2). Configure all vty lines to accept incoming ssh using access list 45. Exit to global mode and create access list 45 to permit the 192.168.10.0/24 network and explicitly deny all others.
B. Two devices were able to use SSH or Telnet to gain access to the router.
Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown? R1# <output omitted> Standard IP access list 2 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 deny any (1 match) A. Two devices connected to the router have IP addresses of 192.168.10.x. B. Two devices were able to use SSH or Telnet to gain access to the router. C. Traffic from two devices was allowed to enter one router port and be routed outbound to a different router port. D. Traffic from one device was not allowed to come into one router port and be routed outbound a different router port.
clear access-list counters
During testing of an ACL, the counters can be cleared using the _______________________ command. This command can be used alone or with the number or name of a specific ACL
access-list 40 permit host 192.168.40.10
Enter the command to create a host statement in numbered ACL 40 that permits the host 192.168.40.10.
ip access-list standard TEST_ACL
Enter the command to create a standard ACL named TEST_ACL.
show running-config
For an existing ACL, you can use the _________________________ command to display the ACL.
16
If a router has four interfaces and is routing both IPv4 and IPv6 traffic, how many ACLs could be created and applied to it?
B. Traffic that is leaving the router and going toward the destination host
In applying an ACL to a router interface, which traffic is designated as outbound? A. Traffic that is coming from the source IP address into the router B. Traffic that is leaving the router and going toward the destination host C. Traffic that is going from the destination IP address into the router D. Traffic for which the router can find no routing table entry
no sequence-number
In named access list configuration mode, use the ________________ command to quickly delete individual statements.
A. When the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface
In which configuration would an outbound ACL placement be preferred over an inbound ACL placement? A. When the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface B. When an interface is filtered by an outbound ACL and the network attached to the interface is the source network being filtered within the ACL C. When a router has more than one ACL D. When an outbound ACL is closer to the source of the traffic flow
A. On the router that has the ACL configured
On which router should the show access-lists command be executed? A. On the router that has the ACL configured B. On the router that routes the packet referenced in the ACL from the source network C. On the router that routes the packet referenced in the ACL to the final destination network D. On any router through which the packet referenced in the ACL travels
A. Four packets have been allowed through the router from PCs in the network of 192.168.1.64.
Refer to the following output. What is the significance of the 4 match(es) statement? R1# <output omitted> 10 permit 192.168.1.56 0.0.0.7 20 permit 192.168.1.64 0.0.0.63 (4 match(es)) 30 deny any (8 match(es) A. Four packets have been allowed through the router from PCs in the network of 192.168.1.64. B. Four packets have been allowed through the router to reach the destination network of 192.168.1.64/26. C. Four packets have been denied that are destined for the 192.168.1.64 network. D. Four packets have been denied that have been sourced from any IP address.
3 3/4
Standard ACL packet filtering occurs at layer _, while extended ACL packet filtering occurs at layers _ and _.
any
The ___ keyword substitutes for the IPv4 address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept all addresses.
host
The ____ keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
VIP pass
The _______ gives selected guests privileges not offered to general admission ticket holders, such as priority entry or being able to enter a restricted area.
remark
The ________ keyword is used for documentation and makes access lists a great deal easier to understand
extended standard
The general rule is that ___________ACLs are placed as close as possible to the source and ___________ ACLs are placed as close as possible to the destination.
implicit deny
The last statement of an ACL is always an ___________.
False. Two separate ACLs must be created to control inbound and outbound traffic.
True or False? A single ACL can accommodate for both inbound and outbound traffic.
False
True or False? A standard ACL filters network traffic based on the destination MAC address.
False. Prefix-length is used to indicate how much of a source address should be matched in IPv6.
True or False? Both IPv4 ACLs and IPv6 ACLs utilize wildcard masks.
False. They are not configured by default at all.
True or False? By default, ACLS are configured on routers with only the most basic settings.
False. Other way around.
True or False? In regards to host statements, the sequence number indicates the order that the statement will be processed, not the order the statement was entered.
False. True they are listed in the order they were entered, but after host statements.
True or False? Range statements are listed before host statements in the order that they were entered.
False. The current statement must be deleted first, and then the new one can be added.
True or False? Statements can be overwritten using the same sequence number as an existing statement.
True.
True or False? The order in which standard ACEs are entered may not be the order in which they are stored, displayed or processed by the router.
All packets are evaluated to see if they can be forwarded
What additional task is performed when an ACL is applied to an interface?
ACEs entered incorrectly inadequate ACL rules
What are the two most common errors mentioned by the chapter when dealing with ACLs?
C. ACLs provide a basic level of security for network access. E. ACLs can control which areas a host can access on a network.
What are two uses of an access control list? (Choose two.) A. ACLs assist the router in determining the best path to a destination. B. Standard ACLs can restrict access to specific applications and ports. C. ACLs provide a basic level of security for network access. D. ACLs can permit or deny traffic based upon the MAC address originating on the router. E. ACLs can control which areas a host can access on a network.
The packet is discarded
What happens if the source IPv4 address does not match any ACEs in the ACL?
Source IPv4 address
What is the filtering criteria set in each ACE of a standard IPv4 ACL?
798
What is the maximum possible number of standard ACLs?
A. Use the no keyword and the sequence number of the ACE to be removed.
What is the quickest way to remove a single ACE from a named ACL? A. Use the no keyword and the sequence number of the ACE to be removed. B. Copy the ACL into a text editor, remove the ACE, then copy the ACL back into the router. C. Use the no access-list command to remove the entire ACL, then recreate it without the ACE. D. Create a new ACL with a different number and apply the new ACL to the router interface.
B. access-list 10 permit 192.168.16.0 0.0.3.255
What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0 A. access-list 10 permit 192.168.16.0 0.0.15.255 B. access-list 10 permit 192.168.16.0 0.0.3.255 C. access-list 10 permit 192.168.16.0 0.0.0.255 D. access-list 10 permit 192.168.0.0 0.0.15.255
D. When troubleshooting an ACL and needing to know how many packets matched
When would a network administrator use the clear access-list counters command? A. When an ACE is deleted from an ACL B. When obtaining a baseline C. When buffer memory is low D. When troubleshooting an ACL and needing to know how many packets matched
Source IP address
Which address is required in the command syntax of a standard ACL?
1
Which binary value in a wildcard mask indicates to Ignore the corresponding bit value in the address?
0
Which binary value in a wildcard mask indicates to match the corresponding bit value in the address?
Show access-lists
Which command produced the following output? R1# 10 permit 192.168.1.56 0.0.0.7 20 permit 192.168.1.64 0.0.0.63 (4 match(es)) 30 deny any (8 match(es))
no ip access-group
Which command would you issue to remove an ACL from an interface?
A. unique D. alphanumeric E. Is case sensitive
Which items describe an ACL name? (Choose 3) A. unique B. 32 characters maximum C. 64 characters maximum D. alphanumeric E. Is case sensitive F. Is not case sensitive
B. 10.120.160.0 to 10.120.167.255
Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE? A. 10.120.160.0 to 10.127.255.255 B. 10.120.160.0 to 10.120.167.255 C. 10.120.160.0 to 10.120.168.0 D. 10.120.160.0 to 10.120.191.255
C. Apply an ACL that has all deny ACE statements.
Which scenario would cause an ACL misconfiguration and deny all traffic? A. Apply a standard ACL in the inbound direction. B. Apply a named ACL to a VTY line. C. Apply an ACL that has all deny ACE statements. D. Apply a standard ACL using the ip access-group out command.
B. Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed.
Which statement describes a difference between the operation of inbound and outbound ACLs? A. Inbound ACLs can be used in both routers and switches but outbound ACLs can be used only on routers. B. Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed. C. On a network interface, more than one inbound ACL can be configured but only one outbound ACL can be configured. D. In contrast to outbound ALCs, inbound ACLs can be used to filter packets with multiple criteria.
A. Place extended ACLs close to the source IP address of the traffic. B. Place standard ACLs close to the destination IP address of the traffic. D. Filter unwanted traffic before it travels onto a low-bandwidth link.
Which three statements are generally considered to be best practices in the placement of ACLs? (Choose three.) A. Place extended ACLs close to the source IP address of the traffic. B. Place standard ACLs close to the destination IP address of the traffic. C. For every inbound ACL placed on an interface, there should be a matching outbound ACL. D. Filter unwanted traffic before it travels onto a low-bandwidth link. E. Place standard ACLs close to the source IP address of the traffic. F. Place extended ACLs close to the destination IP address of the traffic.
A. Each statement is checked only until a match is detected or until the end of the ACE list. B. A packet can either be rejected or forwarded as directed by the ACE that is matched. D. An implicit deny any rejects any packet that does not match any ACE.
Which three statements describe ACL processing of packets? (Choose three.) A. Each statement is checked only until a match is detected or until the end of the ACE list. B. A packet can either be rejected or forwarded as directed by the ACE that is matched. C. A packet that does not match the conditions of any ACE will be forwarded by default. D. An implicit deny any rejects any packet that does not match any ACE. E. Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made. F. A packet that has been denied by one ACE can be permitted by a subsequent ACE.
B. Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0 E. Router(config)# access-list 35 permit host 172.31.22.7
Which two commands will configure a standard ACL? (Choose two.) A. Router(config)# access-list 20 permit host 192.168.5.5 any any B. Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0 C. Router(config)# access-list 45 permit 192.168.200.4 host D. Router(config)# access-list 10 permit 10.20.5.0 0.255.255.255 any E. Router(config)# access-list 35 permit host 172.31.22.7
Host
Which type of ACL statements are commonly reordered by the Cisco IOS as the first ACEs?
vty
Which type of router connection can be secured by the access-class command?
D. A named ACL that has not been applied yet
Which type of standard ACL is easiest to modify on a production router? A. A numbered ACL that is applied inbound B. A numbered ACL that has not been applied yet C. A named ACL that has been applied with the access-class command D. A named ACL that has not been applied yet
inverse mask - Because the 1s and 0s work the opposite of a subnet mask.
Wildcard masks are often referred to as an ______________.
Firewalls
_________ are hardware or software solutions that enforce network security policies.
Outbound
___________ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
Packet filtering
___________________ controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria.
