Ch9 Access Control Lists - Theory

Question 1

Access Control Lists

Answer 1

Series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.

Question 2

Tasks Performed By ACLs (6)

Answer 2

1. Limit network traffic to increase network performance.
2. Provide traffic flow control (restrictt router / system updates).
3. Provide basic level of security for network access.
4. Filter traffic based on traffic type.
5. Screen hosts to permit or deny access to network services.
6. Select specific traffic to be analyzed / sorted / classified for other purposes.

Question 3

TCP Protocol Overview (3)

Answer 3

1. Connection Oriented Protocol.
2. Full-Duplex.
3. Uses Flow-Control and Congestion-control Mechanisms.

Question 4

FTP Port

Answer 4

21 TCP

Question 5

Telnet Port

Answer 5

23 TCP

Question 6

SMTP Port

Answer 6

25 TCP

Question 7

HTTP Port

Answer 7

80 TCP

Question 8

IMAP Port

Answer 8

143 TCP

Question 9

Internet Relay Chat (IRC) Port

Answer 9

194 TCP

Question 10

Secure HTTP Port

Answer 10

443 TCP

Question 11

Trivial File Transfer Protocol (TFTP) Port

Answer 11

69 UDP

Question 12

Routing Information Protocol (RIP) Port

Answer 12

520 UDP

Question 13

Where does Packet Filtering Occur

Answer 13

Works at Layer 3 (Network) and Layer 4 (Transport) OSI Model; Internet Layer TCP/IP Model

Question 14

Access Control Entries

Answer 14

aka: ACL Statements; The permit or deny statements that controls the behavior of an ACL.

Question 15

3 Items ACL Extracts from Layer 3 Packet Header

Answer 15

1. Source IP
2. Destination IP
3. ICMP Message Type

Question 16

2 Items ACL May Extract from Layer 4 Header

Answer 16

1. TCP / UDP Source

2. TCP / UDP Destination.

Question 17

2 Directional Forms of ACLs

Answer 17

1. Inbound ACL’s

2. Outbound ACL’s

Question 18

Inbound ACL

Answer 18

ACL whose entries are processed before the packet is routed to an outboard interface.

Question 19

When is it best to Inbound ACLs

Answer 19

When the network attached is the only source of packets that needs to be examined.

Question 20

Outbound ACL

Answer 20

ACL whose entries are processed after the packed has been routed to an outboard interface but before it has left the interface.

Question 21

When is it bet to use Outbound ACLs

Answer 21

When the same filter will be applied to multiple packets coming from multple inbound interfaces, but exiting the same outbound interface.

Question 22

Implicit Deny

Answer 22

Last statement of an ACL designed to block all traffic that is automatically inserted at the end of each ACL even though it has no actual entry in the list.

Question 23

Two Types of Cisco IPv4 ACLs

Answer 23

1. Standard ACL

2. Extended ACL.

Question 24

Standard ACL

Answer 24

ACL used to permit or deny traffic only from source IPv4 addresses.

Question 25

Extended ACL

Answer 25

ACL used to permit or deny traffic based on a variety of server attributes.

Question 26

Six Server Attributes That Can Apply to Extended ACLs

Answer 26

1. Protocol Type
2. Source IPv4 Address.
3. Destination IPv4 Address.
4. Source TCP / UDP Ports.
5. Destination TCP / UDP Ports
6. Optional protocol type information for finer. control.

Question 27

Where are ACLs created.

Answer 27

Global Configuration Mode.

Question 28

Standard ACL Number Ranges

Answer 28

1 to 99, 1300, and 1999

Question 29

Extended ACL Number Ranges

Answer 29

100 to 199 and 2000 to 2699

Question 30

Wildcard Mask

Answer 30

String of 32 binary digits used by the router to determine which bits of address to examine for a match.

Question 31

0’s Wildcard Significance

Answer 31

Match value of the corresponding bit.

Question 32

1’s Wildcard Significance

Answer 32

Ignore value of corresponding bit.

Question 33

Another Name for Wildcard Mask

Answer 33

Inverse Mask

Question 34

Calculating Wildcard Mask

Answer 34

Subtract specific network’s subnet mask from 255.255.255.255.

Question 35

Host Keyword

Answer 35

Substitutes for 0.0.0.0 WC mask. States that all IPv4 address bits must match exactly.

Question 36

Any Keyword

Answer 36

Substitutes 255.255.255.255 WC mask; ignore IPv4 address and accept any addresses.

Question 37

ACL Guidelines

Answer 37

1. Use ACLs in firewall routers between your internal and external networks.
2. Use ACLs on routers between two parts of your network to control traffic entering or exiting a specific part of your internal network.
3. Configure ACLs on border routers.
4. Configure ACLs for each network protocol configured on the border router interfaces.

Question 38

Three P’s Rule

Answer 38

1. One ACL Per Protocol on the interface.
2. One ACL per direction.
3. One ACL per interface.

Question 39

ACL Best Practices

Answer 39

1. Base your ACLs on the security policy of your organization.
2. Prepare a description of what you want your ACLs to do.
3. Use a text editor to create, edit, and save ACLs
4. Test your ACLs on a development network before implementing them on a production network.

Question 40

Where should Extended ACLs be placed on the network?

Answer 40

Ext. ACLs should be placed as close as possible to the source of the traffic to be filtered.

Question 41

Where should Standard ACLs be placed on the network?

Answer 41

Standard ACLs should be placed as close to the destination as possible.

Question 42

How BIg Can ACL Remarks Be ?

Answer 42

100 characters.

Question 43

Where Should Remarks Be Placed in an ACL.

Answer 43

Remarks can be placed before or after the ACE it pertains too. Creator must remember to be consistent in placement either all before or all after.

Question 44

What is the function of Established in Extended ACL Command?

Answer 44

Indicates an established connection; optional; used in TCP only.

Question 45

5 Common ACL Errors

Answer 45

1. Placing ACEs in an order such that a preceding Deny prevents a later Permit from taking effect.
2. Selecting wrong protocol / host / network address for an ACE may result in an implicit deny
3. Having protocol / host / network address in wrong location within an ACE may result in undesired execution of ACE
4. Incorrect IP / Host Addresses can lead to unwanted execution of ACE
5. Filtering in the wrong direction (outbound vs inbound)

Question 46

IPv6 ACL Types

Answer 46

IPv6 uses only named / extended ACLs.

Question 47

Can an IPv4 and IPv6 ACL Share the Same Name?

Answer 47

No.

Question 48

Can an IPv4 and IPv6 ACL Share the Same Name?

Answer 48

No.