acls
8. ACLs are configured to apply to inbound traffic or to apply to outbound traffic. Explain both in detail.
a. Inbound ACLs - Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of the packets needed to be examined. b. Outbound ACLs - Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
c. ACLs can filter traffic based on source/destination address, blank , and port number.
protocol
g. A router with three interfaces and two network protocols (IPv4 and IPv6) can have as many as blank active ACLs.
twelve
85. The output from the blank command includes all of the ACEs and remark statements.
show running-config
28. Explain what a wildcard mask is.
A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
61. What command is used to configured in line configuration mode restricts incoming and outgoing connections between a particular VTY and the addresses in an access list?
Access-class
b. For outbound ACLs, incoming packets are processed blank they are sent to the outbound interface.
After
84. What in formation does the show access-lists command display?
All the access lists on the router including both IPv4 and IPv6 ACLs.
10. What happens if an ACL does not have at least one permit statement?
All traffic will be blocked.
2. According to the curriculum what is an ACL?
An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols.
5. What are ACEs?
An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs).
31. What are Wildcard masks are often referred to as?
An inverse mask.
70. What command is at the end of every ACL?
At the end of every ACL is a statement is an implicit deny any statement.
4. Explain how packet filtering, sometimes called static packet filtering, controls access to a network.
By analyzing the incoming and outgoing packets and passing or dropping them based on given criteria, such as the source IP address, destination IP addresses, and the protocol carried within the packet.
b. Standard ACLs -
Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.
71. Explain in detail the process or logic the packets follow for an outbound ACL.
Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped and is not tested against the ACEs. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer.
65. Do extended ACLs require port numbers, port names, or both?
Both
47. How many characters can be used in an ACL remark?
Each remark is limited to 100 characters.
45. Standard ACLs can be numbered from 1 to 99, and 1300 to 1999. What is the second set of ACL numbers referred to as?
Expanded IP ACLs
1. According to the curriculum what is a firewall?
Firewalls are hardware or software solutions that enforce network security policies.
69. Explain in detail the process or logic the packets follow for an inbound ACL.
If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached.
72. Explain what happens if there is an ACL applied to an outbound interface on a router.
If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACEs that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.
9. What is the last statement in every ACL?
Implicit deny
60. What does restricting VTY access do?
It is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process.
52. Capitalizing ACL names is not required, so why should you do it anyway?
It makes them stand out when viewing the running-config output.
a. Extended ACLs -
Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
54. There are two ways that a standard numbered ACL can be edited. These are:
Method 1: Using a Text Editor Method 2: Using the Sequence Number
14. Standard and extended ACLs can be created using either a blank or a blank to identify the ACL and its list of statements.
Name number
51. What is the advantage of naming an ACL?
Naming an ACL makes it easier to understand its function
76. Can an IPv4 ACL have the same name as an IPv6 ACL?
No
58. The host statements are listed first but not necessarily in the order that they were entered. The IOS puts host statements in an order using a special hashing function. The resulting order do?
Optimizes the search for a host ACL entry
a. An Access Control List (ACL) controls whether the router will blank or blank packet traffic based on packet header criteria.
Permit deny
78. IPv6 ACLs do not use wildcard masks. What is used to indicate how much of an IPv6 source or destination address should be matched?
Prefix-length
35. What is a shortcut method to determine which addresses will match the wildcard mask?
Subtract the subnet mask from 255.255.255.255
59. Cisco recommends using blank for administrative connections to routers and switches.
SSH
12. What do standard ACLs permit or deny?
Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses.
81. List and explain the three basic steps to configure an IPv6 ACL.
Step 1 -From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. Like IPv4 named ACLs, IPv6 names are alphanumeric, case sensitive, and must be unique. Unlike IPv4, there is no need for a standard or extended option. Step 2 -From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions to determine if a packet is forwarded or dropped. Step 3 -Return to privileged EXEC mode with the end command.
33. What does a 255.255.255.255 wildcard mask stipulate in an ACL?
That any address will match.
34. What does a 0.0.0.255 wildcard mask stipulate in an ACL?
That any bit in the fourth octet will match.
32. What does a 0.0.0.0 wildcard mask stipulate in an ACL?
That every bit in the address must match exactly.
64. What does the established parameter in an ACL specify?
The established parameter allows only responses to traffic that originates from a specific network to return to that network.
29. IPv6 ACLs do not use wildcard masks. Explain what IPv6 duses instead.
The prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.
53. Where can remark commands be placed in an ACL?
The remark can go before or after a permit or deny statement.
46. Explain what the remark keyword used for?
The remark keyword is used for documentation and makes access lists a great deal easier to understand.
67. Which command is used to verify the ACL on the interface and the direction in which it was applied?
The show ip interface command
80. What is the purpose of the two implicit permit statements?
These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4.
66. Why would an network administrator put a permit ip any any statement at the end of their ACL?
This permit statement is added to ensure that no other traffic is blocked.
44. The basic rule for placing an extended ACL is to place it as close to the source as possible. Explain why.
This prevents unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination.
26. What are the two number ranges that can be assigned to extended ACLs?
a. 100 to 199 b. 2000 to 2699
25. What are the two number ranges that can be assigned to standard ACLs?
a. 1 to 99 b. 1300 to 1999
3. Explain what tasks ACLs perform when configured.
a. Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance. b. Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. c. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to authorized users. d. Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic.e. Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
27. What are the requirements to use a name to identify an ACL?
a. Names can contain alphanumeric characters. b. It is suggested that the name be written in CAPITAL LETTERS. c. Names cannot contain spaces or punctuation. d. Entries can be added or deleted within the ACL.
39. List and explain the three Ps.
a. One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. b. One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. c. One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
62. What are two recommend practices when configuring access lists on VTYs?
a. Only numbered access lists can be applied to VTYs. b. Identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them.
13. List the attributes that extended ACLs filter IPv4 packets on?
a. Protocol type b. Source IPv4 address c. Destination IPv4 address d. Source TCP or UDP ports e. Destination TCP or UDP ports f. Optional protocol type information for finer control
6. What information is extracted from the Layer 3 packet header by an ACL to evaluate network traffic?
a. Source IP address B. Destination IP address C. ICMP message type
63. List what extended ACLs can filter on.
a. Source address b. Destination address c. Protocol d. Port Numbers
75. List the types of IPv4 ACLs.
a. Standard; Numbered, Named b. Extended; Numbered, Named
7. What information can an ACL extract from the Layer 4 header?
a. TCP/UDP source port b. TCP/UDP destination port
68. What two methods can be used to edit an extended ACL?
a. Text editor b. Sequence numbers
42. The placement of the ACL and the type of ACL used may also depend on what two other factors?
a. The extent of the network administrator's control b. Bandwidth of the networks involved
50. Explain the two commands that are required to completely remove an ACL from a router?
a. To remove an ACL from an interface, first enter the no ip access-group command on the interface. b. Then enter the global no access-list command to remove the entire ACL.
38. Explain the guidelines for using ACLs.
a. Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. b. Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. c. Configure ACLs on border routers, that is, routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. d. Configure ACLs for each network protocol configured on the border router interfaces.
30. Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. What rules do Wildcard masks use to match binary 1s and 0s:
a. Wildcard mask bit 0 - Match the corresponding bit value in the address. b. Wildcard mask bit 1 - Ignore the corresponding bit value in the address
43. Like a standard ACL, an extended ACL can filter traffic based on the source address. What else can an extended ACL filter traffic based on?
a. destination address b. protocol c. port number
36. Explain what the two keywords below indicate in an ACL?
a. host- the wild card will only match a single address b. any - the wildcard will match any address
79. What are the three implicit statements as the end of every IPv6 ACL?
a. permit icmp any any nd-na b. permit icmp any any nd-ns c. deny ipv6 any any
11. What are the two types of Cisco IPv4 ACLs?
a. standard b. extended
e. For inbound ACLs, incoming packets are processed they are sent to the outbound interface.
before
57. What command will clear the counters while testing an ACL?
clear access-list counters
h. For every ACL, there is an implied deny statement. If a packet does not match any of the ACL criteria, it will be
discarded.
d. ACLs are often used in routers between internal and external networks to provide a
firewall.
f. ACLs can filter data traffic per protocol, per direction, and per
interface.
77. What is the command used to apply an IPv6 ACL to an interface?
ipv6 traffic-filter
82. What command is used to link an IPv6 ACL to an interface?
ipv6 traffic-filter
49. ACEs are processed blank Therefore, the order in which ACEs are entered is important.
sequentially.
56. Once the ACL has been applied to an interface and some testing has occurred, the blank command will show statistics for each statement that has been matched
show access-lists
55. Which command is used to verify the ACL on the interface?
show ip interface
83. Which command can be used to verify that an IPv6 ACL is configured on a specific interface and show if it's inbound or outbound?
show ipv6 interface