Access Control Lists

Question 1

Access Control Lists are made up of what kind of entries?

Answer 1

Access Control Entries

Question 2

What does an extended ACL filter traffic based on?

Answer 2

Source IP, Destination IP, Source Port, Destination Port

Question 3

What is this extended ACL command doing?

access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23

Answer 3

It’s an extended access control list that is denying TCP traffic to port 23 from the 10.10.30.0/24 subnet going to the destination IP of 10.10.20.1

Question 4

What numbers are considered standard ACL range?

Answer 4

1-99 and 1300-1999

Question 5

What numbers are considered extended ACL range?

Answer 5

100-199 and 2000-2699

Question 6

Provide an example of a standard ACL command?

Answer 6

access-list 1 permit 10.10.10.10 0.0.0.0

Question 7

What does a wildcard mask of 0.0.0.0 mean?

Answer 7

It means the subnet mask is 255.255.255.255 and that the IP address before the mask is the only IP being targeted.

Question 8

Standard ACLs can have more parameters than just the source address, correct?

Answer 8

No, only Extended ACLs can have more parameters than the source address

Question 9

Does an Extended ACL have a default wildcard mask?

Answer 9

No, you have to specify a wildcard mask with an extended ACL

Question 10

What is this Extended ACL doing?

R1(config)#access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet

Answer 10

It’s an extended ACL that will permit telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10

Question 11

What is this standard ACL doing?

R1(config)#access-list 1 deny 10.10.10.10 0.0.0.0

Answer 11

Denying the IP address of 10.10.10.10. Since it has a wildcard mask of 0.0.0.0 then it’s target that one IP Address and not the subnet range

Question 12

Name the “steps” in an extended ACL statement?

Answer 12

1. Access List Designation
2. Access List Number
3. Permit or Deny Designation
4. Protocol Designation that you’re wanting to block (TCP, UDP)
5. IP Subnet with Wildcard Mask
6. Greater, Less than or Equal To
7. Source Port Number
8. Destination IP Subnet with Wildcard Mask
9. Equal to
10. Destination Port Number or Protocol (Telnet, SSH, etc.)

Question 13

How would you configure a named ACL?

Answer 13

ip access-list extended (or standard) {name-of-list}

deny {IP network} {wildcard-mask}
deny 10.10.10.0 0.0.0.255

Question 14

In a standard ACL what is the only piece of information that the router or switch cares about?

Answer 14

The source address

Question 15

What number range would 1-99 and 1300-1999 be considered in terms the ACL?

Answer 15

Standard Access Control List

Question 16

What number range would 100-199 and 2000-2699 be considered in terms of the ACL?

Answer 16

Extended Access Control List

Question 17

Syntax wise, what is the difference between a Numbered ACL and a Named ACL?

Answer 17

A numbered ACL would have a number like:
access-list 100

A named ACL would have the standard or extended designation plus a name like:
ip access-list standard Flackbox

Question 18

What would be the commands to create a named ACL that would deny 10.10.10.10 and permit the 10.10.10.0/24 network?

Answer 18

ip access-list standard {name-of-ACL}
deny 10.10.10.10 0.0.0.0
permit 10.10.10.0 0.0.0.255

Question 19

Write an Access Control Entry for this scenario:

Access List number of 100 that permits telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10

Answer 19

access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet

Question 20

Write an Access Control Entry for this scenario:

Access List number of 100 that denies TCP traffic from the network 10.10.10.0 going to a destination address of 10.10.50.0 that is accepting traffic on port 80

Answer 20

access-list 100 deny tcp 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 eq 80

Question 21

What does access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 represent?

Answer 21

This is denying ALL traffic from the source subnet of 10.10.10.0/24 to the destination network of 10.10.50.0/24

Question 22

What command in the ACE would keep you from having to provide a wildcard mask?

Answer 22

host

Example: access-list 100 permit tcp host 10.10.10.10

The host command essentially tells the router or switch that’s a single IP you’re targeting

Question 23

What does #access-list 100 permit tcp 0.0.0.0 255.255.255.255 tell us?

Answer 23

Permit literally any traffic that is TCP on this port or VLAN

Question 24

What is another way to write #access-list 100 permit tcp 0.0.0.0 255.255.255.255 and still allow all TCP traffic?

Answer 24

access-list 100 permit tcp any

Question 25

What is this ACE telling us:

access-list 100 deny tcp host 10.10.10.10 10.10.20.0 0.0.0.255 eq www log

Answer 25

It’s an extended Access Control Entry with a number of 100
Deny TCP traffic from 10.10.10.10 that is going TO the destination network of 10.10.20.0/24 with a destination port of 80(www) and we want log it to the console or an external monitoring service

Question 26

What command would you use to verifiy ACLs?

Answer 26

show access-lists {acl-number}

Question 27

What will the command show access-lists {acl-number} tell you?

Answer 27

It will show you all of the Access Control Entries for that ACL and if it’s matching for any traffic

Question 28

If you’ve created your ACL with the Access Control Entries, what do you need to do to actually get them to work?

Answer 28

You need to enable it on the interface or VLAN with the access-group command

Question 29

How many ACLs can you have on one interface per direction?

Answer 29

1

Question 30

Why can you only have 1 ACL per direction on an interface?

Answer 30

Because if you have multiple ACLs going outbound or inbound then the router will not know one to actually apply

Question 31

What is a good way to think about which direction to apply the ACL?

Answer 31

Think about the way traffic flows.

Question 32

How would you configure an access group on an interface or VLAN?

Answer 32

int {int} or int {vlan}
ip access-group {number} {direction}

Example:
int fa0/1
ip access-group 100 in

or

int vlan 10
ip access-group 100 out

Question 33

What is a command to show which access groups are applied to an interface?

Answer 33

show ip int {int} | include access-list

Question 34

True or False: Precedence for ACLs goes from Bottom to Top

Answer 34

False. They go from top to bottom

Question 35

Why is it important for ACLs importance to go from Top to Bottom?

Answer 35

Because if a more targeted ACE was put AFTER a broader one, then the broader one would take precedence because it came first and the router would stop at the first match

Question 36

In this scenario:

access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 deny host 10.10.10.10

Would 10.10.10.10 be denied or permitted?

Answer 36

It would be permitted because the permit entry for 10.10.10.0/24 came first and the router would process that and then stop processing anything after it

Question 37

What increments are ACLs numbered in?

Answer 37

Increments of 10

Question 38

Why is the numbered increments on the entries important?

Answer 38

In case you need to inject another entry in the future

Question 39

How would you inject another entry into an already established ACL with numbers 10,20,30 and 40 but you need it to take second priority?

The scenario is you want to deny TCP traffic from host 10.10.10.11 to destination host 10.10.50.10 on the destination telnet port

Answer 39

ip access-list extended {number}
15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet

Question 40

True or False: there is an implicit deny any any rule at the bottom of every ACL

Answer 40

True

Question 41

True or False: If an ACL is not applied to an interface, all traffic is denied

Answer 41

False, all traffic is allowed at that point

Question 42

True or False: All traffic is denied except what is explicitly allowed due to the implied deny any any rule at the bottom the of ALL ACLs

Answer 42

True

Question 43

What can we infer from this ACE in terms of permit rules?

access-list 1 permit 10.10.10.0 0.0.0.255

Answer 43

All traffic will be denied except traffic from 10.10.10.0 0.0.0.255

Question 44

What are these ACE’s doing?

access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 deny any log

Answer 44

Permitting any traffic from 10.10.10.0/24
Denying all other traffic and logging any illegal traffic

Question 45

If you want to reverse the implicit deny any any rule so that ALL traffic is permitted except what is explicitly denied, how would you achieve this?

Answer 45

Add a permit any rule at the bottom of your entries

Question 46

Which would have precedence? An explicit permit any rule at the bottom of an ACL or an implicit deny any any at the bottom of the ACL?

Answer 46

The permit any rule would take precedence because it would be above the deny any any rule implicitly at the bottom