Chapter 7 - Access Control Lists
Packet Filtering works at what Layer(s)
4 Transport 3 Network.
Refer to the following output. What is the significance of the 4 match(es) statement? R1# <output omitted> 10 permit 192.168.1.56 0.0.0.7 20 permit 192.168.1.64 0.0.0.63 (4 match(es)) 30 deny any (8 match(es))
Four packets have been allowed through the router from PCs in the network of 192.168.1.64.
An ACL is a sequential list of permit or deny statements, known as
access control entries (ACEs).
Which type of router connection can be secured by the access-class command?
vty Access to vty lines can be filtered with an ACL and applied using the access-class in command.
In which configuration would an outbound ACL placement be preferred over an inbound ACL placement?
when the ACL is applied to an outbound interface to filter packets coming from multiple inbound interfaces before the packets exit the interface
ACLs perform the following tasks:
1) Limit network traffic to increase network performance. For example, videos 2) Provide traffic flow control. ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source. 3) Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. 4) Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic. 5) Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
Which range represents all the IP addresses that are affected when network 10.120.160.0 with a wildcard mask of 0.0.7.255 is used in an ACE?
10.120.160.0 to 10.120.167.255 A wildcard mask of 0.0.7.255 means that the first 5 bits of the 3rd octet must remain the same but the last 3 bits can have values from 000 to 111. The last octet has a value of 255, which means the last octet can have values from all zeros to all 1s.
If a router has two interfaces and is routing both IPv4 and IPv6 traffic, how many ACLs could be created and applied to it?
8 In calculating how many ACLs can be configured, use the rule of "three Ps": one ACL per protocol, per direction, per interface. In this case, 2 interfaces x 2 protocols x 2 directions yields 8 possible ACLs.
What is the effect after the command no access-list 10 is entered?
ACL 10 is removed from the running configuration. However, to disable an ACL on an interface, the command R1(config-if)# no ip access-group should be entered.
What are uses of an access control list? (
ACLs can be used for the following: Limit network traffic in order to provide adequate network performance Restrict the delivery of routing updates Provide a basic level of security Filter traffic based on the type of traffic being sent Filter traffic based on IP addressing
An ACL was configured on R1 with the intention of denying traffic from subnet 172.16.4.0/24 into subnet 172.16.3.0/24. All other traffic into subnet 172.16.3.0/24 should be permitted. This standard ACL was then applied outbound on interface Fa0/0. Which conclusion can be drawn from this configuration?
All traffic will be blocked, not just traffic from the 172.16.4.0/24 subnet. Because of the implicit deny at the end of all ACLs, the access-list 1 permit any command must be included to ensure that only traffic from the 172.16.4.0/24 subnet is blocked and that all other traffic is allowed.
What is an ACL (Access Control List)?
An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.
Which three statements describe ACL processing of packets? (
An implicit deny any rejects any packet that does not match any ACE. A packet can either be rejected or forwarded as directed by the ACE that is matched. Each statement is checked only until a match is detected or until the end of the ACE list.
Which statement describes a difference between the operation of inbound and outbound ACLs
Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed.
A router has an existing ACL that permits all traffic from the 172.16.0.0 network. The administrator attempts to add a new ACE to the ACL that denies packets from host 172.16.0.1 and receives the error message that is shown in the exhibit. What action can the administrator take to block packets from host 172.16.0.1 while still permitting all other traffic from the 172.16.0.0 network?
Manually add the new deny ACE with a sequence number of 5. Because the new deny ACE is a host address that falls within the existing 172.16.0.0 network that is permitted, the router rejects the command and displays an error message. For the new deny ACE to take effect, it must be manually configured by the administrator with a sequence number that is less than 10.
Rules for Applying ACLs, only one ACL per:
Per Port (g0/1) Per direction (IN or OUT) per interface (IPv4 or IPv6)
Which three statements are generally considered to be best practices in the placement of ACLs?
Place standard ACLs close to the destination IP address of the traffic. Place standard ACLs close to the source IP address of the traffic. Place extended ACLs close to the source IP address of the traffic.
An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL
R1(config-line)# access-class 1 in Administrative access over SSH to the router is through the vty lines. Therefore, the ACL must be applied to those lines in the inbound direction. This is accomplished by entering line configuration mode and issuing the access-class command.
Standard access lists have the syntax of access-list and a number between 1 and 99 followed by the permit or deny keyword and the source IP address (that includes a wildcard mask).
Router(config)# access-list 90 permit 192.168.10.5 0.0.0.0 Router(config)# access-list 35 permit host 172.31.22.7
A network administrator is writing a standard ACL that will deny any traffic from the 172.16.0.0/16 network, but permit all other traffic. Which two commands should be used?
Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255 Router(config)# access-list 95 permit any
A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task?
Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0 Router1(config)# access-list 10 permit host 192.168.15.23
What will happen to the access list 10 ACEs if the router is rebooted before any other commands are implemented?
The ACEs of access list 10 will be renumbered. After a reboot, access list entries will be renumbered to allow host statements to be listed first and thus more efficiently processed by the Cisco IOS.
What is the effect of configuring an ACL with only ACEs that deny traffic?
The ACL will block all traffic.
Placement of the ACL and therefore, the type of ACL used may also depend on:
The extent of the network administrator's control - Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks. Bandwidth of the networks involved - Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks. Ease of configuration - If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source but requires creating extended ACLs on multiple routers.
Which command produced the following output?R1#10 permit 192.168.1.56 0.0.0.720 permit 192.168.1.64 0.0.0.63 (4 match(es))30 deny any (8 match(es))
The show access-lists command is used to list every access list configured on a router. It also shows how many packets have matched each ACE.
Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown? R1# <output omitted> Standard IP access list 2 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 deny any (1 match)
Two devices were able to use SSH or Telnet to gain access to the router. The access-class command is used only on VTY ports. VTY ports support Telnet and/or SSH traffic. The match permit ACE is how many attempts were allowed using the VTY ports. The match deny ACE shows that a device from a network other than 192.168.10.0 was not allowed to access the router through the VTY ports.
Follow ACL SOP design
Use a text editor for ACLs create a library of reusable ACL. (lines can be up to 1000 lines Notepad ++ is a good program for this
What is the quickest way to remove a single ACE from a named ACL?
Use the no keyword and the sequence number of the ACE to be removed. Named ACL ACEs can be removed using the no command followed by the sequence number.
Wildcard masks use the following rules to match binary 1s and 0s:
Wildcard mask bit 0 - Match the corresponding bit value in the address. Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Which type of standard ACL is easiest to modify on a production router?
a named ACL that has not been applied yet Two common reasons for having a named ACL are that its function is easier to identify and the ACL is easier to modify.
Which command would be used in a standard ACL to allow only devices on the network attached to R2 G0/0 interface to access the networks attached to R1?
access-list 1 permit 192.168.10.96 0.0.0.31 Standard access lists only filter on the source IP address. In the design, the packets would be coming from the 192.168.10.96/27 network (the R2 G0/0 network).
What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0
access-list 10 permit 192.168.16.0 0.0.3.255 The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.
Outbound ACL
filters packets after being routed, regardless of the inbound interface
Inbound ACL
filters packets coming into a specific interface and before they are routed to the outbound interface
A network administrator is configuring an ACL to restrict access to certain servers in the data center. The intent is to apply the ACL to the interface connected to the data center LAN. What happens if the ACL is incorrectly applied to an interface in the inbound direction instead of the outbound direction?
he ACL does not perform as designed.
Which type of ACL statements are commonly reordered by the Cisco IOS as the first ACEs?
host
On which router should the show access-lists command be executed?
on the router that has the ACL configured the show access-lists command is only relevant to traffic passing through the router on which the ACL is configured.
If the network administrator created a standard ACL that allows only devices that connect to the R2 G0/0 network access to the devices on the R1 G0/1 interface, how should the ACL be applied?
outbound on the R1 G0/1 interface Because standard access lists only filter on the source IP address, they are commonly placed closest to the destination network. In this example, the source packets will be coming from the R2 G0/0 network. The destination is the R1 G0/1 network. The proper ACL placement is outbound on the R1 G0/1 interface.
one efficient ACL statement, as shown below: R1(config)# access-list 10 permit 192.168.16.0 0.0.15.255
permit any = any combination.
Which address is required in the command syntax of a standard ACL
source IP address
In applying an ACL to a router interface, which traffic is designated as outbound?
traffic that is leaving the router and going toward the destination host
When would a network administrator use the clear access-list counters command?
when troubleshooting an ACL and needing to know how many packets matched
