Cisco 4 - ACLs

No. Standard ACLs only filter at Layer 3. Extended ACLs filter at Layer 3 and Layer 4.

Do standard ACLs and extended ACLs filter at the same OSI Layers?

100 to 199 and 2000 to 2699

Extended ACLs are numbered ____ to ____ and ____ to ____.

Protocol type Source IPv4 address Destination IPv4 address Source TCP or UDP ports Destination TCP or UDP ports Optional protocol type information for finer control

Extended ACLs can filter IPv4 traffic based on which attributes?

established

For the TCP protocol only; without the ____ parameter in the ACL statement, clients could send traffic to a web server, but not receive traffic returning from the web server.

Do them.

4.1.1.5 and 4.1.1.6 activities are really good.

B) two D) 2

How many ACLs must be created to control outbound and inbound traffic for a single protocol? Choose all that apply. A) one B) two C) four D) 2 E) three F) None of the above

close source

Locate extended ACLs as ____ as possible to the ____ of the traffic to be filtered.

A) hosts in a subnet with the subnet mask 255.255.252.0 / 4) 192.168.5.0 0.0.3.255 B) all IP address bits must match exactly / 3) host 192.168.15.12 C) the first valid host address in a subnet / 6) 192.168.100.63 255.255.255.192 D) subnetwork address of a subnet with 14 valid host addresses / 1) 192.168.15.65 255.255.255.240 E) addresses with a subnet mask of 255.255.255.248 / 5) 192.168.3.64 0.0.0.7

Match each statement with the example subnet and wildcard that it describes. (Not all options are used.) A) hosts in a subnet with the subnet mask 255.255.252.0 B) all IP address bits must match exactly C) the first valid host address in a subnet D) subnetwork address of a subnet with 14 valid host addresses E) addresses with a subnet mask of 255.255.255.248 1) 192.168.15.65 255.255.255.240 2)192.168.15.144 0.0.0.15 3) host 192.168.15.12 4) 192.168.5.0 0.0.3.255 5) 192.168.3.64 0.0.0.7 6) 192.168.100.63 255.255.255.192

0 to 1023 - Well Known 1024 to 49151 - Registered 49152 to 65535 - Private/Dynamic

This chapter has the port range number and port group list so it makes sense to put it in this Quizlet. That means identify all ranges.

no access-list

This command removes the current access list.

show access-lists

To view an individual access list, use this command.

False Binary *0* signifies a bit that must *match*, and binary *1* signifies a bit that can be *ignored*.

True or False Binary 1 signifies a bit that must match, and binary 0 signifies a bit that can be ignored.

True

True or False If a standard ACL was placed at the source of the traffic, the "permit" or "deny" will occur based on the given source address no matter where the traffic is destined.

False An ACL must be defined for each protocol enabled on the interface.

True or False It is possible to use a single ACL to control multiple protocols on an interface.

True

True or False Standard ACLs filter IP packets based on the source address only.

one

ACLs can control traffic in how many directions at a time on an interface?

ACL

A(n) ____ is a sequential list of permit or deny statements.

A) 172.16.0.255 B) 172.16.15.36

*A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)* A) 172.16.0.255 B) 172.16.15.36 C) 172.16.16.12 D) 172.16.31.24 E) 172.16.65.21

A) Router1(config)# access-list 10 permit host 192.168.15.23 B) Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0

*A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)* A) Router1(config)# access-list 10 permit host 192.168.15.23 B) Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0 C) Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.255 D) Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.0 E) Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.255

C) R1(config-line)# access-class 1 in

*An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?* A) R1(config-if)# ip access-group 1 in B) R1(config-if)# ip access-group 1 out C) R1(config-line)# access-class 1 in D) R1(config-line)# access-class 1 out

A) hosts in a subnet with the subnet mask 255.255.252.0 */* 5) 192.168.5.0 0.0.3.255 B) all IP address bits must match exactly */* 4) host 192.168.15.12 C) the first valid host address in a subnet */* 6) 192.168.15.65 255.255.255.240 D) subnetwork address of a subnet with 14 valid host addresses */* 2) 192.168.15.144 0.0.0.15 E) addresses with a subnet mask of 255.255.255.248 */* 1) 192.168.3.64 0.0.0.7

*Match each statement (letter) with the example subnet and wildcard (number) that it describes. (Not all options are used.)* A) hosts in a subnet with the subnet mask 255.255.252.0 B) all IP address bits must match exactly C) the first valid host address in a subnet D) subnetwork address of a subnet with 14 valid host addresses E) addresses with a subnet mask of 255.255.255.248 1) 192.168.3.64 0.0.0.7 2) 192.168.15.144 0.0.0.15 3) 192.168.100.63 255.255.255.192 4) host 192.168.15.12 5) 192.168.5.0 0.0.3.255 6) 192.168.15.65 255.255.255.240

0.0.0.31

*The wildcard mask that is associated with 192.168.12.96/27 is ____*

B) named extended

*What is the only type of ACL available for IPv6?* A) named standard B) named extended C) numbered standard D) numbered extended

A) 192.168.70.0 to 192.168.70.127

*What range of IP addresses is represented by the network and wildcard mask 192.168.70.0 0.0.0.127?* A) 192.168.70.0 to 192.168.70.127 B) 192.168.70.0 to 192.168.70.255 C) 192.168.70.0 to 192.168.70.63 D) 192.168.70.0 to 192.168.71.255

C) 172.16.2.0 to 172.16.3.255

*Which IPv4 address range covers all IP addresses that match the ACL filter specified by 172.16.2.0 with wildcard mask 0.0.1.255?* A) 172.16.2.0 to 172.16.2.255 B) 172.16.2.1 to 172.16.3.254 C) 172.16.2.0 to 172.16.3.255 D) 172.16.2.1 to 172.16.255.255

B) They filter traffic based on source IP addresses only.

*Which statement describes a characteristic of standard IPv4 ACLs?* A) They are configured in the interface configuration mode. B) They filter traffic based on source IP addresses only. C) They can be created with a number but not with a name. D) They can be configured to filter traffic based on both source IP addresses and source ports.

C) Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed.

*Which statement describes a difference between the operation of inbound and outbound ACLs?* A) In contrast to outbound ALCs, inbound ACLs can be used to filter packets with multiple criteria. B) Inbound ACLs can be used in both routers and switches but outbound ACLs can be used only on routers. C) Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed. D) On a network interface, more than one inbound ACL can be configured but only one outbound ACL can be configured.

B) deny ipv6 any any E) permit icmp any any nd-ns F) permit icmp any any nd-na

*Which three implicit access control entries are automatically added to the end of an IPv6 ACL? (Choose three.)* A) deny ip any any B) deny ipv6 any any C) permit ipv6 any any D) deny icmp any any E) permit icmp any any nd-ns F) permit icmp any any nd-na

A) An implicit deny any rejects any packet that does not match any ACL statement. B) A packet can either be rejected or forwarded as directed by the statement that is matched. E) Each statement is checked only until a match is detected or until the end of the ACL statement list is reached.

*Which three statements describe ACL processing of packets? (Choose three.)* A) An implicit deny any rejects any packet that does not match any ACL statement. B) A packet can either be rejected or forwarded as directed by the statement that is matched. C) A packet that has been denied by one statement can be permitted by a subsequent statement. D) A packet that does not match the conditions of any ACL statements will be forwarded by default. E) Each statement is checked only until a match is detected or until the end of the ACL statement list is reached. F) Each packet is compared to the conditions of every statement in the ACL before a forwarding decision is made.

B) host D) any

*Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)* A) most B) host C) all D) any E) some F) gt

D) R1(config)# interface gi0/0 R1(config-if)# ip access-group 105 out E) access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20 access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21 access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq www access-list 105 deny ip any host 10.0.54.5 access-list 105 permit ip any any

2 Two routers, R1 and R2, connect via a serial link. Both the R1 and R2 interfaces that connect to this network are labeled S0/0/0. Above the serial link are the words 10.0.56.252/30. R1 has two more connections: Gi0/0 and Gi0/1. The Gi0/0/ R1 interface connects to a switch. That switch connects to a server labeled FTP and web server 10.0.54.5/28. The R1 Gi0/1 interface connects to a switch. That switch connects to a host. Under the host are the words 10.0.55.23/24. The R2 router has another interface labeled Gi0/0. This interface connects to a switch. That switch connects to a host. Under the host are the words 10.0.70.23/25. Refer to the exhibit. The network administrator that has the IP address of 10.0.70.23/25 needs to have access to the corporate FTP server (10.0.54.5/28). The FTP server is also a web server that is accessible to all internal employees on networks within the 10.x.x.x address. No other traffic should be allowed to this server. Which extended ACL would be used to filter this traffic, and how would this ACL be applied? (Choose two.) A) access-list 105 permit tcp host 10.0.54.5 any eq www access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20 access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21 B) R1(config)# interface s0/0/0 R1(config-if)# ip access-group 105 out C) R2(config)# interface gi0/0 R2(config-if)# ip access-group 105 in D) R1(config)# interface gi0/0 R1(config-if)# ip access-group 105 out E) access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 20 access-list 105 permit tcp host 10.0.70.23 host 10.0.54.5 eq 21 access-list 105 permit tcp 10.0.0.0 0.255.255.255 host 10.0.54.5 eq www access-list 105 deny ip any host 10.0.54.5 access-list 105 permit ip any any F) access-list 105 permit ip host 10.0.70.23 host 10.0.54.5 access-list 105 permit tcp any host 10.0.54.5 eq www access-list 105 permit ip any any

The chapter says 0.0.1.255 is correct but it seems that E) (see below) is correct A single ACL command and wildcard mask should not be used to specify these particular networks or other traffic will be permitted or denied and present a security risk.

A network administrator is designing an ACL. The networks 192.168.1.0/25, 192.168.0.0/25, 192.168.0.128/25, 192.168.1.128/26, and 192.168.1.192/26 are affected by the ACL. Which wildcard mask, if any, is the most efficient to use when specifying all of these networks in a single ACL permit entry? 0.0.0.127 0.0.0.255 0.0.1.255 0.0.255.255 A single ACL command and wildcard mask should not be used to specify these particular networks or other traffic will be permitted or denied and present a security risk.

The IT group network is included in the deny statement.

If this is confusing let me know, I copied the commands from a picture: R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# access-list 120 deny ip 192.168.20.0 0.0.3.255 10.0.10.0 0.0.0.255 R1(config)# access-list 120 permit tcp 192.168.22.0 0.0.0.15 10.0.10.0 0.0.0.15 eq 23 R1(config)# access-list 120 permit ip any any R1(config)# line vty 0 4 R1(config-line)# password admin-in R1(config-line)# access-class 120 in R1(config-line)# exit R1(config)# interface fastEthernet 0/0 R1(config-if)# ip address 10.0.10.1 255.255.255.252 R1(config-if)# no shutdown R1(config-if)# ip access-group 120 in R1(config-if)# end R1# R1# show access-lists Extended IP access list 120 deny ip 192.168.20.0 0.0.3.255 10.0.10.0 0.0.0.255 (16 match(es)) permit tcp 192.168.22.0 0.0.0.15 10.0.10.0 0.0.0.15 eq telnet permit ip any any R1# Refer to the exhibit. A network administrator is configuring an ACL to limit the connection to R1 vty lines to only the IT group workstations in the network 192.168.22.0/28. The administrator verifies the successful Telnet connections from a workstation with IP 192.168.22.5 to R1 before the ACL is applied. However, after the ACL is applied to the interface Fa0/0, Telnet connections are denied. What is the cause of the connection failure? The IT group network is included in the deny statement. The login command has not been entered for vty lines. The permit ACE specifies a wrong port number. The permit ACE should specify protocol ip instead of tcp. The enable secret password is not configured on R1.

traffic that is leaving the router and going toward the destination host

In applying an ACL to a router interface, which traffic is designated as outbound? traffic that is coming from the source IP address into the router traffic for which the router can find no routing table entry traffic that is going from the destination IP address into the router traffic that is leaving the router and going toward the destination host

Global configuration mode

On a Cisco router, in which mode are ACLs created?

3 4

Packet filtering can occur at Layer ____ or Layer ____, depending on the ACL type.

destination

Place standard ACLs as close to the ____ as possible.

I'm not typing out all that crap.

Ports 20,21,22,23,25,53,67,68,69,80,110,143,161,443 are all listed in this chapter so memorize them.

Trick question, Telnet isn't real. I'm hilarious, but Telnet doesn't usually use an acronym.

Which acronym denotes Telnet?

SYN ACK FIN

TCP segments are marked with flags that denote their purpose. Identify them.

R2(config)# access-list 101 permit ip host 192.168.1.1 host 192.168.2.1 R2(config)# interface fastethernet 0/1 R2(config-if)# ip access-group 101 in

The exhibit shows router R2 connected through int fa0/0 to a switch which in turn is connected to host with an IP address 192.168.1.1 /24. R2 is connected to another switch through interface fa0/1 and the switch is connected to a server with the IP address 192.168.2.1 /24. Refer to the exhibit. A network administrator wants to permit only host 192.168.1.1 /24 to be able to access the server 192.168.2.1 /24. Which three commands will achieve this using best ACL placement practices? (Choose three.) R2(config)# access-list 101 permit ip host 192.168.1.1 host 192.168.2.1 R2(config)# interface fastethernet 0/0 R2(config)# access-list 101 permit ip any any R2(config-if)# ip access-group 101 out R2(config)# interface fastethernet 0/1 R2(config-if)# ip access-group 101 in R2(config)# access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

implicit deny

The last statement of an ACL is always an ___ ___

wildcard mask

What is a maskstring of 32 binary digits used by the router to determine which bits of the address to examine for a match?

Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ] [ log ]

What is the full syntax of the standard ACL command?

Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }

What is the syntax to apply a standard ACL?

C) 0.0.0.255

What is the wildcard mask that is associated with the network 192.168.12.0/24 ? 0.0.0.256 0.0.255.255 0.0.0.255 255.255.255.0

access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255 access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255

What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.) access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255 access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255 access-list 100 deny ip 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.1 access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0 access-list 100 deny ip 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255

ACLs provide a basic level of security for network access. ACLs can control which areas a host can access on a network.

What two functions describe uses of an access control list? (Choose two.) ACLs assist the router in determining the best path to a destination. ACLs provide a basic level of security for network access. ACLs can control which areas a host can access on a network. ACLs can permit or deny traffic based upon the MAC address originating on the router. Standard ACLs can restrict access to specific applications and ports.

permit tcp host 2001:DB8:10:10::100 any eq 25

Which IPv6 ACL command entry will permit traffic from any host to an SMTP server on network 2001:DB8:10:10::/64? permit tcp any host 2001:DB8:10:10::100 eq 23 permit tcp any host 2001:DB8:10:10::100 eq 25 permit tcp host 2001:DB8:10:10::100 any eq 23 permit tcp host 2001:DB8:10:10::100 any eq 25

data

Which TCP segment identifies the port which matches the requested service?

A) access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23

Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet? A) access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23 B) access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80 access-list 103 deny tcp ​192.168.10.0 0.0.0.255 any eq 23 C) access-list 103 deny tcp host 192.168.10.0 any eq 23 access-list 103 permit tcp host 192.168.10.1 eq 80 D) access-list 103 permit 192.168.10.0 0.0.0.255 host 172.17.80.1 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq telnet​​

destination UDP port number ICMP message type

Which two packet filters could a network administrator use on an IPv4 extended ACL? (Choose two.) destination MAC address destination UDP port number computer type source TCP hello address ICMP message type

C) Port numbers can be used to add greater definition to an ACL. E) Extended ACLs evaluate the source and destination addresses.

Which two statements are correct about extended ACLs? (Choose two) A) Multiple ACLs can be placed on the same interface as long as they are in the same direction. B) Extended ACLs end with an implicit permit statement. C) Port numbers can be used to add greater definition to an ACL. D) Extended ACLs use a number range from 1-99. E) Extended ACLs evaluate the source and destination addresses.

The first 28 bits of a supplied IP address will be matched. The last four bits of a supplied IP address will be ignored.

Which two statements describe the effect of the access control list wildcard mask 0.0.0.15? (Choose two.) The first 28 bits of a supplied IP address will be ignored. The last four bits of a supplied IP address will be matched. The last five bits of a supplied IP address will be ignored. The first 32 bits of a supplied IP address will be matched. The first 28 bits of a supplied IP address will be matched. The last four bits of a supplied IP address will be ignored.