12 - IP ACLs Flashcards
How many bytes in a UDP header?
8
How many bytes in a TCP header?
20
What port does DNS use?
Port 53
What IP ACLs only match on the Source IP?
Standard ACLs
What two points in a device are ACLs applied?
Either entering or exiting interface
What is the range for Standard numbered ACLs?
1 - 99
What is the range for Extended numbered ACLs?
100 - 199
What is the range for both Standard and Extended ‘Additional’ ACLs?
Standard: 1300-1999
Extended: 2000-2699
What is the difference between Numbered and Named ACLs with respect to configuration commands?
Numbered ACLs can be configured with Global commands
Named ACLs are configured with sub-commands
What statement is implicitly at the end of all ACLs?
Deny all
How would you configure a standard IP access list to allow a given subnet?
access-list 99 permit 10.1.1.0 0.0.0.255
How would you match any and all packets with an ACL command?
access-list 1 permit any
access-list 1 deny any
Why would you want to configure an explicit deny any rule?
So that you can see the counter for how many packets are matched by it, which is not possible using the implicit deny any rule
Where should standard ACLs be placed and why?
As close to the destination as possible so that they don’t unintentionally discard packets that shouldn’t be discarded
What command is used to actually enable the ACL on a chosen interface?
Interface subcommand:
ip access-group 99 in | out
How can you show a list of IPv4 ACLs?
show ip access-lists
How can you see ACLs active on a given interface?
show ip interface g0/0
What is the difference between the commands:show ip access-lists
andshow access-lists
The show access-lists command also lists other types of ACLs such as IPv6 etc
True/False: Packets created by the router itself are filtered by ACLs
False.
A router does not filter packets it created itself with an Outbound ACL. E.g. routing protocol messages, ping packets, etc
How do you enable log messages for ACL statistics?
Append the log directive to the end of ACL rule commands
access-list 2 permit 10.1.1.1 log
What are the 3 ‘matching’ parameters that extended ACL access-list commands require?
- Protocol Type
- Source IP
- Destination IP
What is a key difference between standard and extended ACLs when matching a specific IP address?
Extended ACLs require you to use the ‘host’ keyword
How do you use extended ACL access-list command only specifying the minimum required matching parameters?
access-list 101 permit tcp any 10.1.1.0 0.0.0.255
access-list 101 permit ip any any
What are all the possible port matching modifiers for extended ACLs?
eq ne lt gt range
How would you make an extended ACL entry using ports specified as well?
access-list 101 permit ip any eq 443 host 10.1.1.1
With respects to network layout and design, where should you place extended ACLs?
As close as possible to the source of packets that are to be filtered. This saves bandwidth.
What is the difference between standard and extended ACLs with respect to placement location in the network?
Standard ACLs should be as close to the destination as possible to avoid discarding packets they’re not intended to.
Extended ACLs should be placed as close to the source as possible, which saves bandwidth
How do you add a comment to a ACL?
access-list 101 remark Deny traffic from Server A to DNS servers
What port range is considered dynamic ports?
49152 - 65535
How do you make a named ACL?
ip access-list {standard | extended} MyACLName
How can you remove lines from a named ACL without sequence numbers?
no deny ip 10.1.2.0 0.0.0.255 host 10.2.3.1
True/False: IOS adds sequence number to commands as you configure them, even if you do not include the sequence numbers
True
How do you add or remove ACL commands using sequence numbers?
ACL Subcommands
no 20
5 deny 10.1.1.1
What should you do before making changes to an ACL?
Disable an ACL from its interface
How do you disable an ACL from it’s interface?
Interface sub-command
no ip access-group 10
