5.0 Security Fundamentals

Question 1

What is are the differences between standard and extended ACLs?

Answer 1

1. Standard ACLs can only filter at Layer 3 using the source IP address
2. Extended ACLs can also include destination IP address and Layer 4 attributes, such as protocol and port number

Question 2

What is an advantage of using an ACL inbound on an interface and best use scenario?

Answer 2

1. It will discard denied traffic before processing the packets for routing
2. Best used when the source of traffic to filter only comes to/from a single interface

Question 3

How are outbound ACLs different than inbound ACLs and best scenario?

Answer 3

1. Rules are processed after packets have been routed and allowed/discarded at the outbound interface before putting on the wire
2. Best when traffic source is from multiple interfaces going out a single interface

Question 4

What can be omitted from an ACE when the “host” keyword is used?

Answer 4

The wildcard mask

Question 5

What keyword can be substituted for a source or destination IP address in an ACE?

Answer 5

any

Question 6

What is the limit on the number of ACLs that can be applied to a single interface?

Answer 6

One inbound + one outbound = 2 for single stack IP
4 total if dual-stack IP (IPv4 & IPv6)

Question 7

What command can be used to document an ACE?

Answer 7

remark

Question 8

2 number ranges for standard ACLs

Answer 8

1-99, 1300-1999

Question 9

2 number ranges for extended ACLs

Answer 9

100-199, 2000-2699

Question 10

Which is preferred, using numbered or named ACLs and why?

Answer 10

Named ACLs, because the name can provide information about the purpose of the ACL

Question 11

What is the difference in the commands used to create numbered and named ACLs?

Answer 11

Numbered ACLs: access-list [x] ….
Named ACLs: ip access-list [name]

Question 12

Where are the optimal places to put standard and extended ACLs?

Answer 12

Standard ACLs - at the destination
Extended ACLs - at the source

Question 13

What is the full syntax to create a standard numbered ACL?

Answer 13

access-list [access-list-number] {deny | permit | remark text} source [source-wildcard] [log]
*note whole command is repeated for every ACE added to the list

Question 14

What part of the command to create a standard ACL is optional and what effect does it have?

Answer 14

log - generates a informational message for the first matched packet a rule is applied to, should only be used for troubleshooting or security reasons

Question 15

What command removes a numbered ACL?

Answer 15

no access-list [number]

Question 16

What command creates a standard named ACL?

Answer 16

R1(config)#ip access-list standard [name]
R1(config-std-nacl)#[permit | deny | remark] [source address]

Question 17

What are the 2 methods to modify ACL ACE?

Answer 17

1. Delete the ACL and then recreate it using copy/paste and a text editor
2. Using sequence numbers to modify specific entries

Question 18

What are the commands to modify an ACL ACE using the delete/recreate method?

Answer 18

1. R1# show run | section access-list
2. Copy the output into a text editor and modify it
3. R1(config)# no access-list 1
4. R1(config)# [paste content copied from text editor]

Question 19

What are the commands to modify an ACL ACE using sequence numbers?

Answer 19

1. R1# show access-lists [to get the sequence # of the ACE to modify]
2. R1(config)# ip access-list standard 1
   R1(config-std-nacl)# no 10 [remove incorrect entry]
3. R1(config-std-nacl)# 10 deny host 192.168.10.10 [add the correct entry]

Question 20

What command shows access-lists and match counters?

Answer 20

R1# show access-lists

Question 21

What command clears/resets the match counters?

Answer 21

R1# clear access-list counters [ACL name/number]

Question 22

What are the steps/commands to secure telnet/ssh access via ACL?

Answer 22

1. Create ACL, add a final deny any statement to track unauthorized attempts
   2.