Day 9 - ACL Implementation Flashcards
Based on the topology create and apply a standard numbered ACL that will permit traffic from 172.16.X.X to be forwarded outbound on Gi0/0 and Gi0/1 and denies all other traffic that isn’t within that network
R1
access-list 1 permit 172.16.0.0 0.0.255.255
R1
int gi0/0
ip access-group 1 out
int gi0/1
ip access-group 1 out
All other traffic will be denied due to the implicit deny any statement at the bottom of the ACL
Based on the topology create and apply a standard numbered ACL that prevent traffic that originates from 172.16.4.13 from traveling out Gi0/0. Allow all other traffic going out that interface
R1
access-list 1 deny 172.16.4.13 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255
R1
int gi0/1
ip access-group 1 out
NOTE: the first access entry wildcard is actually 255.255.255.255 and it’s targeting that host specifically
The second access entry is targeting everything. Remember the wildcard mask is actually 0.0.0.0 just flipped
What is another way to write this access control entry?
access-list 1 deny 172.16.4.13 0.0.0.0
access-list 1 deny host 172.16.4.13
OR (starting with 12.3)
access-list 1 deny 172.16.4.13
What is another way to write this access control entry?
access-list 1 permit 0.0.0.0 255.255.255.255
access-list 1 permit any
Based on the topology create and apply a standard numbered ACL that will prevent traffic that originates from the subnet 172.16.4.0/24 and permits all other traffic traveling out the Gi0/0 interface
R1
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
R1
int gi0/0
ip-access group 1 out
Based on the topology create and apply a standard numbered ACL that will only allow Telnet and SSH traffic to R1 from 172.16.4.13
R1
access-list 12 permit host 172.16.4.13
R1
line vty 0 15
access-class 12 in
NOTE: All other hosts are denied implicitly here
If IP is specified in an ACL, what is filtered?
The entire TCP/IP suite
Based on the topology create and apply an extended numbered ACL to prevent FTP traffic from originating from the subnet 172.16.4.0/24 and going to the 172.16.3.0/24 subnet going out to Gi0/0. This needs to be blocked on ports 20 and 21 and allow all other traffic out Interface Gi0/0
R1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 permit ip any any
R1
int gi0/0
ip access-group 101 out
Based on the topology create and apply an extended numbered ACL to prevent telnet traffic that originates from 172.16.4.0/24 from traveling out int gi0/0. Permit all other traffic out int gi0/0
R1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
R1
int gi0/0
ip access-group 101 out
What is the first part of a standard named ACL?
ip access-list standard {name}
Based on the topology, create and apply a standard named ACL that will deny traffic that originates from host 172.16.4.13 from traveling out int gi0/0. Name the ACL TROUBLEMAKER. Permit the rest of the subnet to travel out int gi0/0
ip access-list standard TROUBLEMAKER
deny host 172.16.4.13
permit 172.16.4.0 0.0.0.255
int gi0/0
ip access-group TROUBLEMAKER out
What type of ACL is this below?
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
Extended numbered IPv4 ACL
What type of ACL is this below?
ip access-list standard NAME
deny host 172.16.4.13
permit 172.16.4.0 0.0.0.255
Standard named IPv4 ACL
What does the remark command do?
It adds a comment to the ACL in PLACE OF the permit or deny command
Example:
access-list 101 remark Permit John to Telnet Server
How would you add a remark to a named ACL?
ip access-list PREVENT
remark DO NOT ALLOW
deny 172.16.4.0 0.0.0.255
