ACLs, Route Maps, Prefix Lists

Question 1

Where are common places where you would see an ACL being used?

Answer 1

QoS
NAT statements
Class-Maps
Route-Maps
VLANs
Switchports

Question 2

What is one caveat that should be noted regarding outbound ACLs applied to a Router’s interface?

Answer 2

Traffic generated by the router will not be caught by the ACL (deny)

Question 3

What are the valid numbers for standard ACLs?

Answer 3

1-99 and 1300 - 1999

Question 4

What is the restriction of using standard ACLs?

Answer 4

Only the source IP address information can be filtered

Question 5

What is the basic syntax for a standard numbered ACL?

Answer 5

R1(config)# access-list {number} {permit | deny} {ip-address} {wildcard-mask} [log]

AND/OR

R1(config)# access-list {number} {permit | deny} host

AND/OR

R1(config)# access-list {number} {permit | deny} any

Question 6

What is the basic syntax for a standard named ACL?

Answer 6

R1(config)# ip access-list standard NAME
R1(config-std-nacl)# [seq-num] {permit | deny} {ip-address | any | host} [wildcard] [log]

Example:

R1(config)# ip access-list standard ACL_1
R1(config-std-nacl)# 30 permit 10.55.44.0 0.0.0.255 log

Question 7

What is the command to apply a standard access-list to an interface?

Answer 7

R1(config-if)# ip access-group {number} {in | out}

Question 8

What is the advantage of using a named standard ACL over a numbered ACL?

Answer 8

Flexibility to edit later by using sequence numbers

Question 9

What are the advantages of using extended ACLs over standard ACLS?

Answer 9

• filter on source and/or destination IP address
• filter on source and/or destination port/protocol

Question 10

What the numbers available to use for extended numbered ACLs?

Answer 10

100 - 199 and 2000 - 2699

Question 11

What is the basic syntax to create a named extended ACL?

Answer 11

R1(config)# ip access-list extended NAME
R1(config-ext-nacl)# [seq] {permit | deny} {ip | udp | tcp} {src-address} {src-wildcard} {dest-address} {dest-wildcard} [eq {port-number}] [log]

Example:

R1(config)# ip access-list extended ACL_101
R1(config-ext-nacl)# 90 permit tcp 10.99.0.0 0.0.255.254 200.11.22.0 0.0.0.255 eq 443 log

Question 12

What is the most common use of a Prefix List?

Answer 12

Match network ranges for the purpose of route filtering

Question 13

What is the command structure for a Prefix List?

Answer 13

R1(config)# ip prefix-list [seq {number}] {network-prefix}/{mask-bits} {le | ge} {prefix-length} [{ge | le} {prefix-length}

Example: R1(config)# ip prefix-list 10.2.1.0/24 le 24

NOTE: the network-prefix is commonly called the high-order bit pattern and the mask is usually called the high-order bit-count.

Question 14

What is the key reason to use a Prefix List over an Access List?

Answer 14

The ability to match multiple network ranges with a single statement (by way of the “le” and “ge” function).

Question 15

What are the rules that dictate how Prefix Lists function?

Answer 15

• if not defined, sequence numbers begin with 5 and increment by 5
• Processing stops after the first top-down entry is matched
• implicit “deny all” at the end of the Prefix List

Question 16

How does the “le” and “ge” functions evaluate an IP address against the Prefix-List entry?

Answer 16

First it looks at the high-order bit pattern and length to determine the range of possible addresses. Then the “le” and “ge” functions can determine a more specific range of addresses within the given.

NOTE: if using “ge” and “le” in the same statement, “ge” must come first

Question 17

Given the Prefix List, which of the following IP address ranges would match?

ip prefix-list MY_LIST seq 10 10.96.0.0/14 ge 26

1.) 10.99.0.32 255.255.255.0
2.) 10.77.0.54 255.255.255.255
3.) 10.99.45.99 255.255.255.248
4.) 10.97.44.87 255.255.254.0
5.) 10.98.98.114 255.255.255.224

Answer 17

3.) 10.99.45.99 255.255.255.248

5.) 10.98.98.114 255.255.255.224

The addresses fall within the 10.96.0.0 - 10.99.255.255 range and the subnet mask bits are greater than or equal to 26

Question 18

Given the Prefix List, which of the following IP address ranges would match?

ip prefix-list MY_LIST seq 30 192.168.0.0/18 ge 23 le 29

1.) 192.168.0.1 255.255.255.252
2.) 192.168.65.1 255.255.255.250
3.) 192.168.20.128 255.255.255.250
4.) 192.168.63.66 255.255.254.0
5.) 192.168.15.1 255.255.252.0

Answer 18

3.) 192.168.20.128 255.255.255.248
4.) 192.168.63.66 255.255.254.0

The addresses fall within the 192.168.0.0 - 192.168.63.255 range and the subnet mask bits are greater than or equal to 23 AND less than or equal to 29

Question 19

What are the most common uses for Route Maps?

Answer 19

• Filtering or redistribution of routes for common routing protocols such as BGP, OSPF, EIGRP and RIP
• Manipulation of BGP attributes

Question 20

Much like access lists, what is implied at the end of a Route Map?

Answer 20

An implicit “deny all”

Question 21

What rules dictate the way Route Maps function?

Answer 21

• If not specified upon declaration, then “permit” is the default
• If not specified upon declaration, the sequence number begins at “10” and increments by values of 10
• If a match statement is not included, the Route Map will match all network prefixes by default
• When an entry is matched, the sub-entries (options) will process, then no other entries will be processed.

Question 22

When using the ‘match ip address’ statement in a route map, what are the only three things that can be used to match IP addresses?

Answer 22

• Access Lists Name
• Access List Number
• Prefix-Lists

Question 23

When specifically being used for BGP, what BGP attributes can be matched on with a Route Map?

Answer 23

• AS-Path (match as-path {AS-ACL-number})
• Local Preference (match local-preference {preference})
• Metric (match metric)
• Tag (match tag {tag})

Question 24

When specifically being used for BGP, what BGP attributes can be set with a Route Map?

Answer 24

• as-path prepend
• ip next-hop
• local-preference
• metric
• origin
• tag
• weight

Question 25

What is the first command you would need to create a Route Map?

Answer 25

R1(config)# route-map NAME [permit | deny] [sequence-num]

Example: R1(config)# route-map BGP_FILTER permit 20

Question 26

What is the command you would need to match against IP addresses in an ACL named BGP_ACL?

Answer 26

R1(config-route-map)# match ip address BGP_ACL

Question 27

What is the command you would need to match against IP addresses in an Prefix List named BGP_LIST?

Answer 27

R1(config-route-map)# match ip address prefix-list BGP_LIST

Question 28

What is the command you would need to set the BGP local preference from a Route Map?

Answer 28

R1(config-route-map)# set local-preference {number}

Question 29

What is the command you would need to prepend a BGP AS number using a Route Map?

Answer 29

R1(config-route-map)# set as-path prepend {AS-number}