6 - Advanced Network Security

Question 1

What are ACLs or access control lists used for?

Answer 1

identify and control packet flow across a network

Question 2

What is traffic identified by an ACL referred to?

Answer 2

interesting traffic

Question 3

How do standard ACLs identify traffic?

Answer 3

source ip address

Question 4

How do extended ACLs identify traffic?

Answer 4

source ip address
destination ip address
protocol
port number

Question 5

What happens to traffic that has not been identified in an ACL?

Answer 5

explicitly denied

Question 6

ACLs are made up of one or more rules called?

Answer 6

statements

Question 7

What is the implicit deny rule in an ACL?

Answer 7

packets that do not match any of the statements are dropped

Question 8

What is the order that an ACL is evaluated?

Answer 8

Top to bottom

Question 9

What is used in an ACL to match a host, subnet, or subnets?

Answer 9

wildcard mask

Question 10

What is the trick for calculating wildcard masks?

Answer 10

Subtracting the subnet mask from 255 for each octet

Question 11

What do the bits in a wildcard mask determine?

Answer 11

0’s indicate they should be compared

1’s indicate they should be disregarded

Question 12

Where should you apply a standard ACL?

Answer 12

the router interface closest to the destination

Question 13

Where should you apply an extended ACL?

Answer 13

the router interface closest to the source

Question 14

What is the number value range in a standard ACL?

Answer 14

1-99

1300-1999

Question 15

What is the number value range in an extended ACL?

Answer 15

100-199

2000-2699

Question 16

What keyword in an ACL is used to match a specific computers ip address?

Answer 16

host

Question 17

What protocols are available in an ACL?

Answer 17

gre
icmp
igrp
ip
tcp
udp

Question 18

What operators are availablein an ACL?

Answer 18

eq or equal
neq or not equal
LT or less than
gt or greater than
range

Question 19

What is the difference between the access-list command and the ip access-list command?

Answer 19

1. ip access-list is used to create named access lists
2. ip access-list command will put you in ACL configuration mode (config-sta-nacl)
3. ip access-list command allows you to use the sequence numbers
4. access-list command keeps you in config mode
5. access-list command has to have the commands in the correct sequence order

Question 20

What is the next step after you create an ACL?

Answer 20

apply it to an interface

Question 21

how do you apply an ACL to an interface?

Answer 21

ip access-group guest-block in

Question 22

How many ACLs can you have per interface?

Answer 22

one acl per interface, per protocol, per direction, ie two tcp acls one inbound and one outbound to a single interface

Question 23

Why are ACLs applied to inbound traffic?

Answer 23

test all incoming packets with the same set of parameters

Question 24

Why are ACLs applied to outbound traffic?

Answer 24

test incoming packets with more than one perameter

Question 25

What is a disadvantage of using outbound ACLs?

Answer 25

create unnecessary overhead for the router because it has to process the traffic even though it may be discarded

Question 26

What does the show access-lists or show ip access-lists commands do?

Answer 26

view the contents of all the ACLs configured on the router

Question 27

What command is used to verify that an ACL has been applied to the interface?

Answer 27

sh ip interface

Question 28

What is logging good for on an ACL?

Answer 28

verify that an acl is functioning as intended

Question 29

How do you use the log keyword in an ACL?

Answer 29

it has to be applied at the end of each statement that is intended to be logged

Question 30

What is the downside for logging in an ACL?

Answer 30

Increase cpu usage

CEF is disabled and instead fast switched

Question 31

What is a time-based acl?

Answer 31

uses a time profile to apply an acl

Question 32

What is a dynamic acl?

Answer 32

offers additional security by forcing a user to authenticate before gaining permission to send packets

Question 33

What is a reflexive acl?

Answer 33

generate temporary acl statements that permit inbound traffic sent in response to outbound traffic

Question 34

What is the command to apply an acl to a vty line?

Answer 34

access-class 10 in

Question 35

What are some additional uses for an acl?

Answer 35

qos
nat
vpn