Access Control Lists Flashcards
Access Control Lists are made up of what kind of entries?
Access Control Entries
What does an extended ACL filter traffic based on?
Source IP, Destination IP, Source Port, Destination Port
What is this extended ACL command doing?
access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23
It’s an extended access control list that is denying TCP traffic to port 23 from the 10.10.30.0/24 subnet going to the destination IP of 10.10.20.1
What numbers are considered standard ACL range?
1-99 and 1300-1999
What numbers are considered extended ACL range?
100-199 and 2000-2699
Provide an example of a standard ACL command?
access-list 1 permit 10.10.10.10 0.0.0.0
What does a wildcard mask of 0.0.0.0 mean?
It means the subnet mask is 255.255.255.255 and that the IP address before the mask is the only IP being targeted.
Standard ACLs can have more parameters than just the source address, correct?
No, only Extended ACLs can have more parameters than the source address
Does an Extended ACL have a default wildcard mask?
No, you have to specify a wildcard mask with an extended ACL
What is this Extended ACL doing?
R1(config)#access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
It’s an extended ACL that will permit telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10
What is this standard ACL doing?
R1(config)#access-list 1 deny 10.10.10.10 0.0.0.0
Denying the IP address of 10.10.10.10. Since it has a wildcard mask of 0.0.0.0 then it’s target that one IP Address and not the subnet range
Name the “steps” in an extended ACL statement?
- Access List Designation
- Access List Number
- Permit or Deny Designation
- Protocol Designation that you’re wanting to block (TCP, UDP)
- IP Subnet with Wildcard Mask
- Greater, Less than or Equal To
- Source Port Number
- Destination IP Subnet with Wildcard Mask
- Equal to
- Destination Port Number or Protocol (Telnet, SSH, etc.)
How would you configure a named ACL?
ip access-list extended (or standard) {name-of-list}
deny {IP network} {wildcard-mask}
deny 10.10.10.0 0.0.0.255
In a standard ACL what is the only piece of information that the router or switch cares about?
The source address
What number range would 1-99 and 1300-1999 be considered in terms the ACL?
Standard Access Control List
What number range would 100-199 and 2000-2699 be considered in terms of the ACL?
Extended Access Control List
Syntax wise, what is the difference between a Numbered ACL and a Named ACL?
A numbered ACL would have a number like:
access-list 100
A named ACL would have the standard or extended designation plus a name like:
ip access-list standard Flackbox
What would be the commands to create a named ACL that would deny 10.10.10.10 and permit the 10.10.10.0/24 network?
ip access-list standard {name-of-ACL}
deny 10.10.10.10 0.0.0.0
permit 10.10.10.0 0.0.0.255
Write an Access Control Entry for this scenario:
Access List number of 100 that permits telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10
access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
Write an Access Control Entry for this scenario:
Access List number of 100 that denies TCP traffic from the network 10.10.10.0 going to a destination address of 10.10.50.0 that is accepting traffic on port 80
access-list 100 deny tcp 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 eq 80
What does access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 represent?
This is denying ALL traffic from the source subnet of 10.10.10.0/24 to the destination network of 10.10.50.0/24
What command in the ACE would keep you from having to provide a wildcard mask?
host
Example: access-list 100 permit tcp host 10.10.10.10
The host command essentially tells the router or switch that’s a single IP you’re targeting
What does #access-list 100 permit tcp 0.0.0.0 255.255.255.255 tell us?
Permit literally any traffic that is TCP on this port or VLAN
What is another way to write #access-list 100 permit tcp 0.0.0.0 255.255.255.255 and still allow all TCP traffic?
access-list 100 permit tcp any
What is this ACE telling us:
access-list 100 deny tcp host 10.10.10.10 10.10.20.0 0.0.0.255 eq www log
It’s an extended Access Control Entry with a number of 100
Deny TCP traffic from 10.10.10.10 that is going TO the destination network of 10.10.20.0/24 with a destination port of 80(www) and we want log it to the console or an external monitoring service
What command would you use to verifiy ACLs?
show access-lists {acl-number}
What will the command show access-lists {acl-number} tell you?
It will show you all of the Access Control Entries for that ACL and if it’s matching for any traffic
If you’ve created your ACL with the Access Control Entries, what do you need to do to actually get them to work?
You need to enable it on the interface or VLAN with the access-group command
How many ACLs can you have on one interface per direction?
1
Why can you only have 1 ACL per direction on an interface?
Because if you have multiple ACLs going outbound or inbound then the router will not know one to actually apply
What is a good way to think about which direction to apply the ACL?
Think about the way traffic flows.
How would you configure an access group on an interface or VLAN?
int {int} or int {vlan}
ip access-group {number} {direction}
Example:
int fa0/1
ip access-group 100 in
or
int vlan 10
ip access-group 100 out
What is a command to show which access groups are applied to an interface?
show ip int {int} | include access-list
True or False: Precedence for ACLs goes from Bottom to Top
False. They go from top to bottom
Why is it important for ACLs importance to go from Top to Bottom?
Because if a more targeted ACE was put AFTER a broader one, then the broader one would take precedence because it came first and the router would stop at the first match
In this scenario:
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 deny host 10.10.10.10
Would 10.10.10.10 be denied or permitted?
It would be permitted because the permit entry for 10.10.10.0/24 came first and the router would process that and then stop processing anything after it
What increments are ACLs numbered in?
Increments of 10
Why is the numbered increments on the entries important?
In case you need to inject another entry in the future
How would you inject another entry into an already established ACL with numbers 10,20,30 and 40 but you need it to take second priority?
The scenario is you want to deny TCP traffic from host 10.10.10.11 to destination host 10.10.50.10 on the destination telnet port
ip access-list extended {number}
15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet
True or False: there is an implicit deny any any rule at the bottom of every ACL
True
True or False: If an ACL is not applied to an interface, all traffic is denied
False, all traffic is allowed at that point
True or False: All traffic is denied except what is explicitly allowed due to the implied deny any any rule at the bottom the of ALL ACLs
True
What can we infer from this ACE in terms of permit rules?
access-list 1 permit 10.10.10.0 0.0.0.255
All traffic will be denied except traffic from 10.10.10.0 0.0.0.255
What are these ACE’s doing?
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 deny any log
Permitting any traffic from 10.10.10.0/24
Denying all other traffic and logging any illegal traffic
If you want to reverse the implicit deny any any rule so that ALL traffic is permitted except what is explicitly denied, how would you achieve this?
Add a permit any rule at the bottom of your entries
Which would have precedence? An explicit permit any rule at the bottom of an ACL or an implicit deny any any at the bottom of the ACL?
The permit any rule would take precedence because it would be above the deny any any rule implicitly at the bottom