Cisco 2 Chapter 9
access-list 1 permit host 192.168.10.10
use a keyword to write this ACL better: access-list 1 permit 192.168.10.10 0.0.0.0
router
A ___________ acts as a packet filter when it forwards or denies packets according to filtering rules.
False
A standard ACL cannot be used to filter incoming or outgoing Telnet/SSH
access control list
ACL (expand)
One ACL per interface
ACLs control traffic for an interface
One ACL per direction
ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
access control entries
An ACL is a sequential list of permit or deny statements, known as ________ _______ _______ (ACEs)
True
Answer true if the following statements correspond to General Guidelines for creating ACLs: - Use ACLs in firewall routers - Use ACLs on a router in between two parts of your network - Configure ACLs on border routers - Configure ACLs for each network protocol on the border router interfaces
specific, general
Entering ACL entries should be ____________ to _________________ since the order in which the statements are entered is important (Internal Logic)
false
Extended ACLs only examine the source IPv4 address. The destination of the packet and the ports involved are not considered. True or False
True
If an inbound packet matches an ACL statement with a permit, it is sent to be routed. True or false
False
If there is an ACL on the outbound interface, it is automatically sent to that interface. True or false
extended
Locate _________ ACLs as closee as possible to the source of traffic to be filtered
True
Named ACLs can contain alphanumeric characters, and it is suggested that the name be written in CAPITAL LETTERS
False
Named ACLs can contain spaces or punctuation
100 to 199, 2000 to 2699
Numbered ACL: Extended IP ranges Format: _____ to _____, _______ to ________
1 to 99, 1300 to 1999
Numbered ACL: Standard IP ranges Format: _____ to _____, _______ to ________
standard
Place __________ ACLs as close to the destination as possible
Wildcard mask
Reverse of subnet mask; Uses bit 0 - Match the corresponding bit value in the address.; Uses bit 1 - Ignore the corresponding bit value in the address.; Also referred to as Inverse Mask
implicit deny
What is always the last statement of an ACL? It is automatically inserted at the end of each ACL even though it is not physically present.
blocks
The implicit deny ___________ all traffic
One ACL per protocol
To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
False
True or False: This is a valid Extended IPv4 ACL command access-list 114 permit any tcp 192.168.20.0 0.0.0.255 eq 23
Inbound, Outbound
Two type of ACL Logic
Standard, Extended
Two types of Cisco IPv4 ACLs
Numbering, Naming
Two ways to identify (classify) ACLs
0.0.0.255
Wildcard Mask of the subnet mask 255.255.255.0
True
You can create a named standard ACL by: ip access-list [standard / extended] name True or False
Extended ACLs
_____________ can filter on: - Source address - Destination address - Protocol - Port numbers
Packet Filtering
____________________ sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or dropping them based on given criteria, such as the source IP address, destination IP addresses, and the protocol carried within the packet.
access-class
command used to filter incoming or outgoing telnet/ssh sessions by source address
ip access-group
command used to link a configured ACL to an interface
no access-list
command used to remove the acl
show access-lists
command used to show access lists configured on the device
show ip interface
command used to verify ACLs
Extended ACLs
filer IP packets based on several attributes: - Source and dest IP addresses - Source and dest TCP and UDP ports - Protocol type/ Protocol number
Standard ACLs
filter IP packets based on the source address only
remark
keyword used for documentation and makes access lists a great deal easier to understand
established
keyword used only to allow ip traffic that has already been confirmed (one word)
host
keyword used to abbreviate the wildcard mask of 0.0.0.0
any
keyword used to abbreviate the wildcard mask of 255.255.255.255
eq
keyword used to determine the port number or name in an extended acl (two letters)
no ip access-group
to remove an ACL from an interface