Day 9 - ACL Implementation

Question 1

Based on the topology create and apply a standard numbered ACL that will permit traffic from 172.16.X.X to be forwarded outbound on Gi0/0 and Gi0/1 and denies all other traffic that isn’t within that network

Answer 1

R1
access-list 1 permit 172.16.0.0 0.0.255.255

R1
int gi0/0
ip access-group 1 out

int gi0/1
ip access-group 1 out

All other traffic will be denied due to the implicit deny any statement at the bottom of the ACL

Question 1

Based on the topology create and apply a standard numbered ACL that prevent traffic that originates from 172.16.4.13 from traveling out Gi0/0. Allow all other traffic going out that interface

Answer 1

R1
access-list 1 deny 172.16.4.13 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255

R1
int gi0/1
ip access-group 1 out

NOTE: the first access entry wildcard is actually 255.255.255.255 and it’s targeting that host specifically

The second access entry is targeting everything. Remember the wildcard mask is actually 0.0.0.0 just flipped

Question 2

What is another way to write this access control entry?

access-list 1 deny 172.16.4.13 0.0.0.0

Answer 2

access-list 1 deny host 172.16.4.13

OR (starting with 12.3)

access-list 1 deny 172.16.4.13

Question 3

What is another way to write this access control entry?

access-list 1 permit 0.0.0.0 255.255.255.255

Answer 3

access-list 1 permit any

Question 4

Based on the topology create and apply a standard numbered ACL that will prevent traffic that originates from the subnet 172.16.4.0/24 and permits all other traffic traveling out the Gi0/0 interface

Answer 4

R1
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any

R1
int gi0/0
ip-access group 1 out

Question 5

Based on the topology create and apply a standard numbered ACL that will only allow Telnet and SSH traffic to R1 from 172.16.4.13

Answer 5

R1
access-list 12 permit host 172.16.4.13

R1
line vty 0 15
access-class 12 in

NOTE: All other hosts are denied implicitly here

Question 6

If IP is specified in an ACL, what is filtered?

Answer 6

The entire TCP/IP suite

Question 7

Based on the topology create and apply an extended numbered ACL to prevent FTP traffic from originating from the subnet 172.16.4.0/24 and going to the 172.16.3.0/24 subnet going out to Gi0/0. This needs to be blocked on ports 20 and 21 and allow all other traffic out Interface Gi0/0

Answer 7

R1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20

access-list 101 permit ip any any

R1
int gi0/0
ip access-group 101 out

Question 8

Based on the topology create and apply an extended numbered ACL to prevent telnet traffic that originates from 172.16.4.0/24 from traveling out int gi0/0. Permit all other traffic out int gi0/0

Answer 8

R1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23

access-list 101 permit ip any any

R1
int gi0/0
ip access-group 101 out

Question 9

What is the first part of a standard named ACL?

Answer 9

ip access-list standard {name}

Question 10

Based on the topology, create and apply a standard named ACL that will deny traffic that originates from host 172.16.4.13 from traveling out int gi0/0. Name the ACL TROUBLEMAKER. Permit the rest of the subnet to travel out int gi0/0

Answer 10

ip access-list standard TROUBLEMAKER
deny host 172.16.4.13
permit 172.16.4.0 0.0.0.255

int gi0/0
ip access-group TROUBLEMAKER out

Question 11

What type of ACL is this below?

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

Answer 11

Extended numbered IPv4 ACL

Question 12

What type of ACL is this below?

ip access-list standard NAME
deny host 172.16.4.13
permit 172.16.4.0 0.0.0.255

Answer 12

Standard named IPv4 ACL

Question 13

What does the remark command do?

Answer 13

It adds a comment to the ACL in PLACE OF the permit or deny command

Example:

access-list 101 remark Permit John to Telnet Server

Question 14

How would you add a remark to a named ACL?

Answer 14

ip access-list PREVENT
remark DO NOT ALLOW
deny 172.16.4.0 0.0.0.255

Question 15

What are some commands to verify ACLs?

Answer 15

show access-lists (displays the contents of all ACLs) (will even show how many matches have been applied to a packet for a particular ACE)

show ip int {int} (shows which inbound and outbound ACLs are being applied on the int)

Question 16

Can you use numbers to identify IPv6 ACLs?

Answer 16

No

Question 17

True or False:

IPv6 ACLs include some implicit permit statements at the end of the ACL

Answer 17

True

Question 18

What are the basic initial commands to create a named IPv6 ACL?

Answer 18

ipv6 access-list {name}

Question 19

Is the command syntax the same whether you are configuring a standard or extended IPv6 ACL?

Answer 19

Yes

Question 20

A standard IPv6 ACL, differing from IPv4 ACLs, includes both source and destination information?

Answer 20

True

Question 21

What isn’t included in a standard IPv6 ACL?

Answer 21

TCP, UDP and ICMPv6 information

Question 22

What is a show command to verify ipv6 access lists?

Answer 22

show ipv6 access-list