Access Control Lists (ACL)

Question 1

What are ACLS ?

Answer 1

Access Control Lists
They control what devices have access to which parts of the network. They instruct the router to permit or discard specific traffic. ACLS can filter traffic based on source IP address, destination IP address, protocol type, and port numbers etc. They are made up of one ore more Access Control Entries.

Question 2

Where are ACLs configured ?

Answer 2

Global Config mode on the router and must be applied top an interface. They are applied inbound or outbound.

Question 3

Does the order of Access Control Entries (ACE) in the ACLs matter?

Answer 3

Yes, they are checked from top to bottom. If a condition is met, the router takes the action in the ACE, the other entries are ignored.

Question 4

How many ACLs are allowed on one interface ?

Answer 4

A maximum of one ACL can be applied to a single interface per direction (one inbound, one outbound). If you apply more than one, the next ACL will replace the previous.

Question 5

What happens if a packet doesn’t match any condition in the ACEs ?

Answer 5

It is implicitly denied. There is an implicit deny at the end of every ACL.

Question 6

What are the 2 main types of ACLs ?

Answer 6

Standard ACLS (Match on Source IP only)
* Standard Numbered ACLs
* Standard Named ACLs

Extended ACLs (Match on Source/Dest IP, Source/Dest port, etc)
* Extended Numbered ACLs
* Extended Named ACLs

Question 7

What numbered range can Standard ACLs use ?

Answer 7

1-99 and 1300-1999

Question 8

What numbered range can Extended ACLs use ?

Answer 8

100-199 and 2000-2699

Question 9

What command is used to configure a standard numbered ACL ?

Answer 9

for network:
R1(config)# access-list [number] {deny | permit} [IP] [wildcard-mask]

for specific host:
R1(config)# access-list [number] {deny | permit} host [IP]
or
R1(config)# access-list [number] {deny | permit} [host IP]

Question 10

how to add a description to an ACL ?

Answer 10

using a remark

R1(config)# access-list [number] remark [description]

Question 11

Command to view your ACLs ?

Answer 11

R1(config)# do show access-lists

Question 12

Command to apply your ACLs to an interface ?

Answer 12

R1(config)# ip access-group [number] {in | out}

Question 13

What command is used to configure a standard named ACL ?

Answer 13

R1(config)# ip access-list standard [ACL-name]
R1(config-std-nacl)# [entry-number] {deny | permit} [IP] [wildcard-mask]

Question 14

If you want to delete a specific ACE in an ACL how do you do it ?

Answer 14

Use named ACL config mode
R1(config-std-nacl)# no [ACE number]

If you dont use named ACL config mode you’ll end up deleting the entire ACL and having to recreate it.

Question 15

How to add a new entry to an ACL ?

Answer 15

Use named ACL config mode
R1(config-std-nacl)# [ACE number] [ACE]

Can only be done in named ACL config mode.

Question 16

How to re-sequence an ACL ?

Answer 16

R1(config)# ip access-list resequence [ACL ID] [starting sequence number] [increment]

It changes the starting sequence number and the amount each consecutive entry is incremented by

Question 17

How to configure a layer 4 protocol/port, source and destination address ?

Answer 17

numbered:
R1(config)# access-list [number] [permit | deny] [protocol] [src-ip] [dest-ip]

named:
R1(config)# ip access-list extended [name]
R1(config-ext-nacl)# [seq-number] [permit | deny] [protocol] [src-ip] [dest-ip]

Question 18

What extended ACL entry would allow all traffic ?

Answer 18

R1(config-ext-nacl)# permit ip any any

Question 19

How to specify port numbers in and extended ACL ?

Answer 19

R1(config-ext-nacl)# [permit | deny] [protocol] [src-ip] [eq | gt | lt | neq | range] [src-port-num] [dest-ip]

eq = equal
gt = greater than
lt = less than
neq = not equal
range = range