ACLs Flashcards

1
Q

ACLs Overview

A

ACLs are used in both security and in other software policies when traffic has to be identified

Identify traffic to give better service to in a QoS policy
Identify traffic to translate to a different IP (NAT Policy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ACEs

A

Access Control Entries:
ACLs are made up of ACEs
Each ACE is on a separate line

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Original Implementation: Standard vs. Extended ACLs

A

Standard ACLs reference the source address only

Extended ACLs check based on protocol, source address, destination address, & port number

Standard ACL Range: 1 - 99
Extended ACL Range: 100 - 199

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ACL Improvement: Expanded Ranges

A

Cisco expanded the original ACL Ranges

Standard: 1 - 99 | 1300 - 1999

Extended: 100 - 199 | 2000 - 2699

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Standard Access List Example

A

Access-list 1 deny 10.10.10.10 0.0.0.0

Access-list 1 permit 10.10.10.0 0.0.0.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Extended Access List Example

A

Access-list 100 deny tcp 10.10.10.10 0.0.0.0 gt 49151 10.10.50.10 0.0.0.0 eq 23
—> Gt 49151 = greater than 49151

Access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
There is no default wildcard mask for Extended ACLs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ACL Improvement: Named ACLs

A

You can now reference ACLs by number or name
Named ACLs begin with “ip access-list” instead of “access-list”

Example:
Ip access-list standard Flackbox-Demo
Deny 10.10.10.10 0.0.0.0
Permit 10.10.10.0 0.0.0.255

**Specify if standard or extended after “ip access-list”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ACL Syntax #1: Action

A

deny - Specify packets to reject
permit - Specify packets to forward
remark - Access list entry comment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ACL Syntax #2: Protocol

A

Use TCP or UDP if you want the ACE to apply to traffic for a particular application between a source/destination address

Use IP if you want the ACE to apply to all traffic between a source/destination address

Other protocols:
ahp
eigrp
esp
gre
icmp
ospf
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ACL Syntax #3: Source

A

A.B.C.D - Source address
any - Any source host
host - A single source host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ACL Syntax #4: Wildcards

A

Wildcards save you typing out the wildcard mask

These examples mean the same thing:
access-list 100 permit tcp 10.10.10.10 0.0.0.0
access-list 100 permit tcp host 10.10.10.10

access-list 100 permit tcp 0.0.0.0 255.255.255.255
access-list 100 permit tcp any

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ACL Syntax #5: Source Port Number

A

Specifying the source port number is optional, it defaults to any port

access-list 100 permit tcp 10.10.10.0 0.0.0.255 ?

A.B.C.D - Destination address
any - Any destination host
eq - Match only packets on a given port number
gt - Match only packets with a greater port number
host - A single destination host
lt - Match only packets with a lower port number
neq - Match only packets not on a given port number
range - Match only packets in the range of port numbers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ACL Syntax #6: Destination

A

Same format as source address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ACL Syntax #7: Final Options

A

Additional options are available after entering the destination address such as destination port, TCP flags, & logging

access-list 100 permit tcp host 10.10.10.10 10.10.20.0 0.0.0.255 ?

ack - Match on the ACK bit
eq - Match only packets on a given port number
established - Match established connections
fin - Match on the FIN bit
gt - Match only packets with a greater port number
log - Log matches against this entry
log-input - Log matches against this entry, including input interface
lt - Match only packets with a lower port number
neq - Match only packets not on a given port number
range - Match only packets int he range of port numbers
rst - Match on the RST bit
syn - Match on the SYN bit
urg - Match on the URG bit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Command: Verify ACLs

A

show access-lists 100

(Specify number at the end)

The “log” keyword is not required to log hit counts. It is used to log to the console or an external monitoring server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Access Groups

A

ACLs are applied at the interface level with the Access-Group command

ACLs can be applied in the inbound or outbound direction
You can have a max of one ACL per interface per direction

You can have both an inbound & and outbound ACL on the same interface, but not 2 inbound or outbound ACLs

An interface can have no ACL applied, an inbound ACL only, an outbound ACL only, or ACLs in both directions

17
Q

Command: Configure access groups on interface G0/1

A

interface g0/1
ip access-group 100 out
ip access-group 101 in

Configure rules for both inbound and outbound connections (1 per)

18
Q

Command: Verify access list information on interface F1/0

A

show ip interface f1/0 | include access list

19
Q

ACE Order

A

The ACL is read by the router from top to bottom

As soon as a rule matches the packet, the permit/deny action is applied & the ACL is not processed any further
The order of rules is important

20
Q

Injecting ACEs in an existing ACL

A

ACEs are automatically numbered in increments of 10

Support for injecting ACEs in an existing ACL started in Named ACLs but is also supported in Numbered ACLs now

Example:
ip access-list extended 110
15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet

The 15 in the beginning would place the entry between 10 & 20 (since by default they increment by 10)

21
Q

Implicit Deny All

A

There is an implicit “deny any any” rule at the bottom of ACLs
If an ACL is not applied to an interface, all traffic is allowed
If an ACL is applied, all traffic is denied except what is explicitly allowed

22
Q

Explicit Deny All

A

Many organizations include an explicit deny all at the end of ACLs to log illegal traffic

Example:
access-list 1 deny any log

23
Q

Explicit Permit All

A

If an ACL is applied, all traffic is denied except what is explicitly allowed

If you want to reverse this so that all traffic is permitted except what is explicitly denied, add a permit all statement to the end of the ACL

Example:
access-list 1 permit any

24
Q

Traffic Source from Router

A

ACLs applied to an interface do not apply to traffic which originates from the router itself