ACLs, Route Maps, Prefix Lists Flashcards
Where are common places where you would see an ACL being used?
QoS
NAT statements
Class-Maps
Route-Maps
VLANs
Switchports
What is one caveat that should be noted regarding outbound ACLs applied to a Router’s interface?
Traffic generated by the router will not be caught by the ACL (deny)
What are the valid numbers for standard ACLs?
1-99 and 1300 - 1999
What is the restriction of using standard ACLs?
Only the source IP address information can be filtered
What is the basic syntax for a standard numbered ACL?
R1(config)# access-list {number} {permit | deny} {ip-address} {wildcard-mask} [log]
AND/OR
R1(config)# access-list {number} {permit | deny} host
AND/OR
R1(config)# access-list {number} {permit | deny} any
What is the basic syntax for a standard named ACL?
R1(config)# ip access-list standard NAME
R1(config-std-nacl)# [seq-num] {permit | deny} {ip-address | any | host} [wildcard] [log]
Example:
R1(config)# ip access-list standard ACL_1
R1(config-std-nacl)# 30 permit 10.55.44.0 0.0.0.255 log
What is the command to apply a standard access-list to an interface?
R1(config-if)# ip access-group {number} {in | out}
What is the advantage of using a named standard ACL over a numbered ACL?
Flexibility to edit later by using sequence numbers
What are the advantages of using extended ACLs over standard ACLS?
- filter on source and/or destination IP address
- filter on source and/or destination port/protocol
What the numbers available to use for extended numbered ACLs?
100 - 199 and 2000 - 2699
What is the basic syntax to create a named extended ACL?
R1(config)# ip access-list extended NAME
R1(config-ext-nacl)# [seq] {permit | deny} {ip | udp | tcp} {src-address} {src-wildcard} {dest-address} {dest-wildcard} [eq {port-number}] [log]
Example:
R1(config)# ip access-list extended ACL_101
R1(config-ext-nacl)# 90 permit tcp 10.99.0.0 0.0.255.254 200.11.22.0 0.0.0.255 eq 443 log
What is the most common use of a Prefix List?
Match network ranges for the purpose of route filtering
What is the command structure for a Prefix List?
R1(config)# ip prefix-list [seq {number}] {network-prefix}/{mask-bits} {le | ge} {prefix-length} [{ge | le} {prefix-length}
Example: R1(config)# ip prefix-list 10.2.1.0/24 le 24
NOTE: the network-prefix is commonly called the high-order bit pattern and the mask is usually called the high-order bit-count.
What is the key reason to use a Prefix List over an Access List?
The ability to match multiple network ranges with a single statement (by way of the “le” and “ge” function).
What are the rules that dictate how Prefix Lists function?
- if not defined, sequence numbers begin with 5 and increment by 5
- Processing stops after the first top-down entry is matched
- implicit “deny all” at the end of the Prefix List
How does the “le” and “ge” functions evaluate an IP address against the Prefix-List entry?
First it looks at the high-order bit pattern and length to determine the range of possible addresses. Then the “le” and “ge” functions can determine a more specific range of addresses within the given.
NOTE: if using “ge” and “le” in the same statement, “ge” must come first
Given the Prefix List, which of the following IP address ranges would match?
ip prefix-list MY_LIST seq 10 10.96.0.0/14 ge 26
1.) 10.99.0.32 255.255.255.0
2.) 10.77.0.54 255.255.255.255
3.) 10.99.45.99 255.255.255.248
4.) 10.97.44.87 255.255.254.0
5.) 10.98.98.114 255.255.255.224
3.) 10.99.45.99 255.255.255.248
5.) 10.98.98.114 255.255.255.224
The addresses fall within the 10.96.0.0 - 10.99.255.255 range and the subnet mask bits are greater than or equal to 26
Given the Prefix List, which of the following IP address ranges would match?
ip prefix-list MY_LIST seq 30 192.168.0.0/18 ge 23 le 29
1.) 192.168.0.1 255.255.255.252
2.) 192.168.65.1 255.255.255.250
3.) 192.168.20.128 255.255.255.250
4.) 192.168.63.66 255.255.254.0
5.) 192.168.15.1 255.255.252.0
3.) 192.168.20.128 255.255.255.248
4.) 192.168.63.66 255.255.254.0
The addresses fall within the 192.168.0.0 - 192.168.63.255 range and the subnet mask bits are greater than or equal to 23 AND less than or equal to 29
What are the most common uses for Route Maps?
- Filtering or redistribution of routes for common routing protocols such as BGP, OSPF, EIGRP and RIP
- Manipulation of BGP attributes
Much like access lists, what is implied at the end of a Route Map?
An implicit “deny all”
What rules dictate the way Route Maps function?
- If not specified upon declaration, then “permit” is the default
- If not specified upon declaration, the sequence number begins at “10” and increments by values of 10
- If a match statement is not included, the Route Map will match all network prefixes by default
- When an entry is matched, the sub-entries (options) will process, then no other entries will be processed.
When using the ‘match ip address’ statement in a route map, what are the only three things that can be used to match IP addresses?
- Access Lists Name
- Access List Number
- Prefix-Lists
When specifically being used for BGP, what BGP attributes can be matched on with a Route Map?
- AS-Path (match as-path {AS-ACL-number})
- Local Preference (match local-preference {preference})
- Metric (match metric)
- Tag (match tag {tag})
When specifically being used for BGP, what BGP attributes can be set with a Route Map?
- as-path prepend
- ip next-hop
- local-preference
- metric
- origin
- tag
- weight
What is the first command you would need to create a Route Map?
R1(config)# route-map NAME [permit | deny] [sequence-num]
Example: R1(config)# route-map BGP_FILTER permit 20
What is the command you would need to match against IP addresses in an ACL named BGP_ACL?
R1(config-route-map)# match ip address BGP_ACL
What is the command you would need to match against IP addresses in an Prefix List named BGP_LIST?
R1(config-route-map)# match ip address prefix-list BGP_LIST
What is the command you would need to set the BGP local preference from a Route Map?
R1(config-route-map)# set local-preference {number}
What is the command you would need to prepend a BGP AS number using a Route Map?
R1(config-route-map)# set as-path prepend {AS-number}
