11 - Access Control List

Question 1

Where are Access Control Lists (ACL) used?

Answer 1

1. Computer networks (firewalls, switches and routers)
2. Computer file systems (servers and workstations)
3. Web portals (Canvas, Amazon.com)
4. Cloud configurations (Amazon Web Service VPC, Microsoft Azure VNET)

Question 2

What is Access Control List (ACL)?

Answer 2

A rule-based feature that allows network administrators and engineers to configure basic traffic filtering. ACL is a series of commands, that based on info in the packet header, determine whether to drop a packet or forward it.

Question 3

What device contains ACLs?

Answer 3

Firewalls

Question 4

What are stateless firewalls?

Answer 4

Looks at source and destination with conditions that allow or block traffic

Question 5

What is a stateful firewall?

Answer 5

Will understand the details of a connection and allow the return traffic. Most decent firewalls are stateful.

Question 6

What are ACL advantages?

Answer 6

1. Network performance

2. Security the network

Question 7

What does ACL restrict?

Answer 7

• Routing protocol advertisement messages
• Packets from security protocols
• Packets from other protocols (e.g. ICMP)

Question 8

What are standard ACLs?

Answer 8

Filters traffic according to source IP address when implementing restrictions. Cisco recommends to place this type of ACL as close to the destination device as possible

Question 9

What is an Extended ACL?

Answer 9

Filters packets according to the following parameters: source and destination IP address, protocol typ, and source or destination port. Cisco recommends to place this ACL close to source as possible.

Question 10

True or False:

When configuring ACL traffic direction (inbound or outbound), must be specified on an interface.

Answer 10

True - so router will implement the proper restriction when examing the source network and destination

Question 11

What does Inbound ACL do?

Answer 11

Configures the ACL for inbound traffic. Router will examine incoming traffic to the interface.

Question 12

What does Outbound ACL do?

Answer 12

Configures the ACL for outbound traffic. Router will examine outgoing traffic from the interface.

Question 13

What are Wildcards?

Answer 13

Inverted subnet masks that can be used in statements for Extended and Standard ACLs.

Question 14

True or False:

The order of statements in an ACL is not crucial

Answer 14

Fals

Question 15

What is Access Control Entries (ACEs)?

Answer 15

Represent the order of statements in the ACL. Must be planned carefully.

Question 16

What is a Check Order?

Answer 16

Router checks each packet’s parameters against the ACEs to find a matching condition. When a condition is met, the ACL will be applied, and additional ACEs will be ignored

Question 17

What is Implicit Deny?

Answer 17

An invisible statement at the end of every ACL. When no match is found for a packet, the implicit deny is applied to the packet.

Question 18

True or False:

Each ACP must have at least 2 Permit statements.

Answer 18

False - must have at least 1 Permit statements

Question 19

Where are Standard ACLs placed?

Answer 19

Close to destination. Cisco set this rule because place Standard ACLs at the source of traffic will prevent comms with any network hosting interfaces to which the ACL applies

Question 20

True or False:

ACLs can be assigned unique names or numbers

Answer 20

True

Question 21

What is a Standard Named ACL?

Answer 21

Allow unique names to be assigned to ACLs

Question 22

What is Standard Numbered ACL?

Answer 22

Allow unique numbers to be assigned to ACLs. Range includes 1-99 and 1300-1999

Question 23

What is Standard Numbered ACL format?

Answer 23

1.

Question 24

Does a router verify every packet it forwards against an ACL in chronological order?

Answer 24

Yes - Every inbound or outbound packet parameter is checked according to the received information in every ACE. For example, if you send a stateful packet out via HTTP it is only checked against the outbound rules. The return packet is not checked. On the flip side, if you send out a stateless packet like SNMP, the return packet is a new packet and checked against inbound rules.