Security - ACLs
Create a standard ACL that permits IP addresses that are allowed to telnet, and place the list inbound on VTY lines
What is the best way to prevent telnet / ssh using access lists?
Named ACL
What type of ACL allows you to delete individual statements?
Begging of the line
Where do IPv4 ACL sequence numbers get displayed?
At the end of each line
Where do IPv6 ACL sequence numbers get displayed?
At the bottom of the list
Where do new entries added to an access list get placed?
As close to the source as possible (avoids traffic traversing the entire network just to be denied)
Where is the ideal placement for extended access lists?
As close to the destination as possible
Where is the ideal placement for standard access lists?
Extended Access List
A type of ACL that can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet including both source and destination IP addresses, the protocol field in the Network layer header, and the port number at the transport layer header.
Standard Access List
A type of ACL that uses only the source IP address in an IP packet as the condition test. These don't have the ability to distinguish between any types of IP traffic such as Web, Telnet, etc.
access-list 101 remark Block all HTTP Traffic
Command to add a comment to a numbered access list 101 saying "Block all HTTP Traffic"
ipv6 access-class (access-list-name)
Command to apply an IPv6 ACL to VTY lines
line vty 0 4 access-class (ACL #) (in / out)
Command to apply an access list to the VTY line
ip access-list (standard / extended ) (ACL # or Name)
Command to create a named access list
ip access-list standard [name]
Command to create a standard named ACL
ipv6 access-list (name)
Command to create an ipv6 ACL
ip access-list extended (name)
Command to created an extended named ACL
remark
Command to include comments as part of an access list
log (added the end of a line: access-list 110 deny tcp any any eq telnet log)
Command to show whenever an access-list line is hit
show access-list
Displays all access lists and their parameters configured on the router. Also shows statistics about how many times the line either permitted or denied a packet. This command does not show you which interface the list is applied on. Would show them all, including IPX or other types that may exist.
show ip interface
Displays which interfaces have access lists set on them.
100-199 or 2000-2699
Extended ACL range
10
If you do not specify a sequence number when adding an entry to a named access list, Cisco IOS incrememnts the sequence number by ___ for every statement you enter
established
Keyword added to the end of an extended ACL entry that allows TCP traffic to pass if the packet is a response to an outbound-initiated session. Only applies to inbound TCP
www
Keyword that can be used in an extended ACL instead of using tcp source address destination address eq 80 and tcp source address destination address eq 443
Inbound Access List
Method of filtering inbound packets on an interface
Outbound Access List
Method of filtering outbound packets on an interface
show access-list 110
Reveals only the parameters for access list 110. Again, this command will not reveal the specific interface the list is set on.
show ip access-list
Shows only the IP access lists configured on the router.
show running-config
Shows the access lists and the specific interfaces that have ACLs applied on them.
1-99 or 1300 - 1999
Standard ACL range
False (Packets are only compared to each line in sequential order until a match is made)
T or F A packet is compared to every line in an access list?
True
T or F A standard IPv6 ACL includes both source and destination address information, but not TCP, UDP, or ICPMv6 information.
False (ACL were designed to filter traffic going through the router)
T or F Access lists will filter traffic that has originated from a router?
True
T or F All packets will be discarded if they do not meet any of the lists's tests?
True
T or F Both numbered and named ACLs can be configured for standard ACLs as well as extended ACLs
False (IPv6 ACLs use only named ACLs)
T or F IPv6 ACLs use numbered and named ACLs
True
T or F You can only have one inbound and one outbound ACL per interface?
False (Remarks are only visible in the running-config)
T or F You can view remarks made within an access list by running the show access-list command?
False (more specific rules should be towards the top)
T or F You should organize your access lists so that the more specific tests are at the bottom?
Named Access List
Use a descriptive name or number for identification
Before being routed to the outbound interface
When are packets processed through an inbound access list?
After being routed to the outbound interface, and before being queued
When are packets processed through an outbound access list?
Command to create a standard access list
access-list (1-99) (deny/allow) (any, range, host)
ipv6 traffic-filter (access-list-name) (in/out)
command to apply an IPv6 ACL to an interface
ip access-list 12 permit host 172.16.4.13 line vty 0 15 access-class 12 in
commands to allow only 1 host remote access to the router
access-list 1 deny 172.16.4.0 0.0.0.255 access-list 1 permit any int g0/0 ip access-group 1 out
commands to block traffic from 172.16.4.0, but allow all other traffic
Command to apply access list to an interface
int fa0/0 ip access-group (ACL #) (out / in)
host
keyword that can be used to specify a single device instead of using the 0.0.0.0 wildcard mask
any
the keyword that is the same as using an address of 0.0.0.0 255.255.255.255