26. Network Device Access Control and Infrastructure Security Flashcards
How does an access list process?
It starts at the top and proceeds down untill a matching pattern is identified. When a match is found the process stops.
What is at the end of all ACLs?
An implicit deny
What can ACLs be used for?
- Qos
- NAT
- Identifying network
What are the 5 types of ACL?
- Standard numbered
- Extended numbered
- Named
- Port (PACL)
- VLAN (VACL)
What is the number of ACLs allowed per interface?
1 inbound and 1 outbound
What is the range for standard ACLs?
1-99 / 1300-1999
With what command is the ACL defined?
access-list number permit/deny
What does the command permit any does?
Permits all networks
What does the command permit 172.16.0.0 0.0.255.255 does?
Permits all networks in the 172.16 range
What does the command permit host 192.168.1.1 does?
Permits only the 192.168.1.1/32 network
What is the range of extended ACL?
100-199 / 2000-2699
What is the command for a extended numbered ACL?
access-list number permit/deny protocol
source source wildcard
destination destination wildcard
What is the protcol option neq?
match only packets not on a given port number
What is the command to create a named ACL?
ip access-list standard/extended NAME
What is the command to apply an ACL?
ip access-group in/out
What is a PACL?
Port access list that can be applied on L2 ports. Can support L3 standard/extended/name and L2 named MAC
What are the restrictions for PACL?
- Only support filtering incoming traffic
- Cannot filter L2 control packets
- Only supported in hardware
- Does not support filter IPv6, ARP, MPLS
What is the command to create a PACL?
ip access-list
What is a VACL?
Can filter traffic bridged within a VLAN or that is router in/out a VLAN
How to create a VACL?
- Create an ACL (permit)
- Create vlan access-map
- Configure the match statement
- Configure the action statement
- Apply with VLAN filter
What is important to remember with creating the ACL for VACL?
It always needs a PERMIT statement!
What are the action statements for VACL?
- Forward
- Drop
- Log (can only be used with drop)
What is the order for bridged traffic?
- Inbound PACL
- Inbound VACL
- Outbound VACL
What is the order for routed traffic?
- Inbound PACL
- Inbound VACL
- Inbound ACL
- Outbound ACL
- Outbound VACL