Chapter 31 - Basic IPv4 Access Control Lists Flashcards
What are ACLs used for?
- To match traffic based various headers and perform an action on them.
- Some of those actions can be for:
- Allowing and blocking certain traffic
- Performing QoS
- Performing NAT
True or False. ACLs are enabled per interface.
- True. However, they are initially created in global config.
- It must be enabled for the direction that the specified traffic will flow through the interface.
What are the different types of ACLs and their numbers where required?
- Standard Numbered ACLs - 1-99
- Extended Numbered ACLs - 100-199
- Additional Standard Numbered ACLs - 1300-1999
- Additional Extended Numbered ACLs - 2000-2699
- Named ACLs
Features of Standard Numbered ACLs
- Matching Source IP
- ID with Number
- Created from Global Commands (Can also be created from subcommands)
Features of Standard Named ACLs
- Matching Source IP
- ID with Name
- Created from Subcommands
- Can manually set the order of entries by entering the order number of the entry before the statement in Standard Named ACL config mode
- Allows ACL editing so that individual lines can be deleted
Features of Extended Numbered ACLs
- Matching Source and Dest IP
- Matching Source and Dest Port
- ID with Number
- Created from Global Commands (Can also be created from subcommands)
Features of Extended Named ACLs
- Matching Source and Dest IP
- Matching Source and Dest Port
- ID with Name
- Created from Subcommands
- Allows ACL editing so that individual lines can be deleted
In an ACL, how does the router decide which rule to match a packet against?
- Uses first-match logic
- As soon as a packet matches one line of the ACL, the relevant action in that line is taken on that packet and the router stops looking through the ACL for that packet
What happens to a packet that matches no statements of an ACL?
- It is discarded
- Once the router reaches the end of an ACL when checking a packet, there is an implied ‘deny all’ rule that matches any packets that have not already been matched.
What is the name for a statement in an ACL?
ACE (Access Control Entry)
How do you match just a single IP address in an ACL statement?
- Simply entering ‘access-list <number> <permit/deny> <ip>'</ip></number>
- Entering ‘access-list <number> <permit/deny> host <ip>' in older versions of IOS</ip></number>
What can you use to match multiple addresses in a given subnet in an ACL?
Wildcard masks
What keyword can you use in place of an IP address to match all traffic against an ACL statement?
- ‘any’
- ‘access-list <number> <permit/deny> any</number>
How do you enable an ACL on an interface?
In interface config mode, use ‘ip access-group <ACL> <direction></direction></ACL>
Rules of thumb for ACLs
- Standard ACLs should be placed as close to the destination as possible so as to not match traffic that you don’t mean to. However, Extended ACLs should be placed as close to the source as possible to avoid using as much bandwidth.
- For standard ACLs, the traffic is matched against the source address. Because of this it needs to be enabled on the interface in the direction the traffic is flowing in.
- ACL statements are matched sequentially so need to be placed in the correct order.
- Place more specific statements early in the ACL.
- Disable an ACL from the interface it is on using ‘no ip access-group’ before making changes to it. Then reenable once done.
