Access Control Lists Flashcards
What are ACLs? (mcq)
An access list is a sequential series of commands or filters.
ACL decision points (mcq)
IP source address
IP destination addresses
UDP or TCP protocols
upper-layer (TCP/UDP) port numbers
Standard IP ACLs
Can only filter on source IP addresses
Extended IP ACLs Filters
Can filter on:
- Source IP address
- Destination IP address
- Protocol (TCP, UDP)
- Port Numbers (Telnet – 23, http – 80, etc.)
- and other parameters
ACL statement
RouterB(config)#access-list 10 permit 172.16.30.2
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
‘host’ statement
RouterB(config)#access-list 10 permit 192.168.1.100 0.0.0.0
RouterB(config)#access-list 10 permit host 192.168.1.100
Wildcard Masks
Tells how much of the packet’s source IP address (or destination IP address) needs to match for this condition to be true.
Access-lists need to use wildcard masks when defining a network. Subnet masks DO NOT work!
Extended Access Lists statement (ref image)
access-list [number] [permit/deny] protocol source [source-mask destination destination-mask operator operand] [established]
access-list 100 permit ip source & destination [s and d mask] eq 21
Why use Extended Access Lists (mcq)
Provide a greater range of control
Gives greater flexibility to describe what the ACL will check
Checks the source and destination packet addresses as well as being able to check for protocols and port numbers.
Packets can be permitted or denied access based on where the packet originated and its destination as well as protocol type and port addresses
Named ACLs statement
ip access-list {extended | standard} name
permit 10.1.1.1
deny any
Named ACLs advatanges (match)
Intuitively identify an ACL using an alphanumeric name.
Eliminate the limit of 798 simple and 799 extended ACLs
Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them.
Note that a named access list will allow the deletion of statements but will only allow for statements to be inserted at the end of a list.
Even with named ACLs it is a good idea to use a text editor to create them.
Named Standard ACLs statement
ip access-list {standard | extended } name
[permit | deny | remark] {source [source - wildcard] } [log]
ip access-group name [in | out]
ip access-list standard Sample
permit host 10.10.10.104
deny 10.10.10.1/24
permit any
TCP Established ACLs
The TCP established keyword blocks all traffic coming from the Internet except for the TCP reply traffic associated with established TCP traffic initiated from the inside of the network.
Forces the router to check whether the TCP ACK control flag is set.
If the ACK flag is set, the TCP traffic is allowed in.
If not, it is assumed that the traffic is associated with a new connection initiated from the outside, so it’s dropped.
Does not implement a stateful firewall on a router.
TCP Established ACLs statement
access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established
access-list 100 deny ip any any
int s0/0/0
ip access-group 100 in
host
The host option substitutes for the 0.0.0.0 mask.
Requires that all bits of the ACL address and the packet address match
This option will match just one address.
