Day 10 - ACL Concepts Flashcards
An ACL is a router __________ __________ (that is, it’s a list of ___________)
Configuration Script
Statements
ACLs control whether a router permits or denies packets to pass, based on criteria in the what?
Packet header
To determine whether a packet is permitted or denied, it is tested against the ACL statement in what order?
Sequential order
When an ACL statement matches, do any other statements get evaluated?
No
What is at the bottom of every ACL?
An implicit deny any statement
If a packet doesn’t match any of the statements in the ACL, what happens to it?
It’s dropped
ACLs use what kind of logic?
First match logic
If a packet matches one line in the ACL, the router takes the action listed in that line of the ACL and does what with the rest of the ACL statements?
Ignores them
What two types of ACLs are there?
Standard IPv4 ACLs
Extended IPv4 and Extended IPv6 ACLs
What two methods are there to identify both standard and extended ACLs?
Numbered IPv4 ACLs
Named IPv4 and Named IPv6 ACLs
What is the difference between standard ACLs and Extended ACLs?
Standard ACLs filter traffic based on source address only
Extended ACLs filter traffic based on source and destination address, specific protocols and source and destination TCP and UDP ports
What do numbered ACLs use to identify themselves?
They use a number for identification
What do named ACLs use to identify themselves?
They use a descriptive name or number for identification
Standard numbered and standard named ACLs only look for matching what?
Source addresses
Extended numbered and extended named ACLs look for matching what?
Source and Dest IP
Source and Dest Port
What is the number range for standard IP ACLs?
1-99
What is the number range for Extended IP ACLs?
100-199
What is the number range for expanded standard IP ACLs?
1300-1999
In addition to using more memorable names, using named ACLs instead of numbered ACLs enable to you __________ individual statements in a named IP access list
delete
What is the number range for expanded extended IP ACLs?
2000-2699
What version of IOS Software release did IP access list entry sequence numbering get introduced with?
12.3
How many ACLs are allowed per protocol, per direction, and per interface
1
How should you organize the ACL statements?
Top down with more specific references appearing before more general ones
You should always create the ACL before __________ it to an interface
Applying
You typically should place extended ACLs as close to what?
The source traffic that you want to deny
What does a wildcard mask of 0.0.0.0 mean?
It means the subnet mask is 255.255.255.255 and that the IP address before the mask is the only IP being targeted.
Does an Extended ACL have a default wildcard mask?
No, you have to specify a wildcard mask with an extended ACL
What is this Extended ACL doing?
R1(config)#access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
It’s an extended ACL that will permit telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10
Write an Access Control Entry for this scenario:
Access List number of 100 that permits telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10
access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
What does access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 represent?
This is denying ALL traffic from the source subnet of 10.10.10.0/24 to the destination network of 10.10.50.0/24
What is this ACE telling us:
access-list 100 deny tcp host 10.10.10.10 10.10.20.0 0.0.0.255 eq www log
It’s an extended Access Control Entry with a number of 100
Deny TCP traffic from 10.10.10.10 that is going TO the destination network of 10.10.20.0/24 with a destination port of 80(www) and we want log it to the console or an external monitoring service
If you’ve created your ACL with the Access Control Entries, what do you need to do to actually get them to work?
You need to enable it on the interface or VLAN with the access-group command
What increments are ACLs numbered in?
10
True or False: All traffic is denied except what is explicitly allowed due to the implied deny any any rule at the bottom the of ALL ACLs
True
If you want to reverse the implicit deny any any rule so that ALL traffic is permitted except what is explicitly denied, how would you achieve this?
Add a permit any rule at the bottom of your entries
Which would have precedence? An explicit permit any rule at the bottom of an ACL or an implicit deny any any at the bottom of the ACL?
The permit any rule would take precedence because it would be above the deny any any rule implicitly at the bottom
