Module 4: ACL Concepts Flashcards
1
Q
What do routers make routing decisions based on?
A
Information in the packet header
2
Q
How is traffic routed when entering a router interface?
A
Solely based on information within the routing table
3
Q
What does the router compare to find the best match for routing?
A
The destination IP address with routes in the routing table
4
Q
What is the purpose of an access control list (ACL)?
A
To filter packets based on information found in the packet header
5
Q
By default, do routers have any ACLs configured?
A
No
6
Q
What happens when an ACL is applied to a router interface?
A
The router evaluates all network packets as they pass through the interface
7
Q
What is the role of access control entries (ACEs) in an ACL?
A
A sequential list of permit or deny statements
8
Q
Fill in the blank: An ACL is a series of _______ commands used to filter packets.
A
lOS
9
Q
True or False: A router forwards packets based on the best match route found in the routing table.
A
True
10
Q
What are ACEs commonly referred to as?
A
ACEs are also commonly called ACL statements.
ACL stands for Access Control List.
11
Q
What happens when network traffic passes through an interface configured with an ACL?
A
The router compares the information within the packet against each ACE, in sequential order.
This is essential for determining if the packet matches one of the ACEs.
12
Q
What is the process called when a router checks packets against ACEs?
A
Packet filtering.
Packet filtering is crucial for managing network traffic and security.
13
Q
What do several tasks performed by routers require?
A
The use of ACLs to identify traffic.
ACLs help in controlling the flow of traffic based on defined rules.
14
Q
What is the purpose of limiting in unnecessary network traffic?
A
To increase network performance
Reducing unnecessary traffic allows for better bandwidth management and improved application responsiveness.
15
Q
What type of high bandwidth traffic is often prohibited by a corporate policy to reduce network load?
A
Video traffic
Video traffic can consume significant bandwidth, impacting overall network performance.
16
Q
How can a policy to block video traffic be enforced?
A
Using ACLs (Access Control Lists)
ACLs can specify which types of traffic are allowed or denied on a network.
17
Q
What is traffic flow control?
A
A corporate policy that requires routing protocol traffic to be limited to certain links only.
Traffic flow control helps manage network efficiency and security.
18
Q
How can a corporate policy be implemented to control routing protocol traffic?
A
Using ACLs to restrict the delivery of routing updates to only those that come from a known source.
ACLs (Access Control Lists) are used to enhance network security by defining permissions for traffic.
19
Q
What is the basic level of security for network access?
A
Restricted access to authorized users only
This ensures that only individuals with permission can access sensitive information.
20
Q
What does corporate policy demand regarding access to confidential networks?
A
Access must be restricted to authorized users only
This policy is crucial for protecting sensitive employee information.
21
Q
How can a policy be enforced to limit access to specified networks?
A
Using Access Control Lists (ACLs)
ACLs are used to define which users or systems are granted or denied access to specific resources.
22
Q
What does corporate policy require regarding network traffic?
A
Certain traffic, such as email, must be permitted while other traffic, like Telnet access, must be denied.
This reflects the need to control access and protect network integrity.
23
Q
How can a policy be implemented to filter traffic by type?
A
Using ACLs (Access Control Lists) to filter traffic.
ACLs are a set of rules that determine what traffic is allowed or denied on a network.
24
Q
True or False: All traffic types should be allowed into a network in order to not impact usability.
A
False
Some traffic must be denied, such as Telnet access because it’s not secure.
25
Fill in the blank: A policy can be implemented using _______ to filter traffic by type.
ACLs
## Footnote
ACLs help in managing network security by controlling traffic flow.
26
What is the purpose of a screen host?
To permit or deny access to network services
## Footnote
Screen hosts act as a gatekeeper for network access.
27
What must be considered when it comes to permitting or denying access to certain file types?
Access to some file types (e.g., FTP or HTTP) must be limited to user groups yet available to others.
## Footnote
This ensures that only authorised users can access sensitive or specific file types.
28
How can a policy be implemented to control user access to services?
Using ACLs (Access Control Lists) to filter user access
## Footnote
ACLs are a common method for defining who can access what resources in a network.
29
Fill in the blank: Corporate policy often requires that access to some file types be limited to _______.
Authorised user groups
## Footnote
This is aimed at protecting sensitive information from unauthorised access.
30
What is the purpose of providing priority to certain classes of network traffic?
To ensure that critical traffic, like voice traffic, is forwarded as fast as possible to avoid interruptions.
31
How can a policy be implemented to prioritize voice traffic?
Using ACLs and QoS services
32
What is packet filtering?
Packet filtering controls access to a network by analyzing incoming and/or outgoing packets and forwarding or discarding them based on given criteria.
33
At which OSI layers does packet filtering occur?
Packet filtering can occur at Layer 3 and Layer 4.
34
Fill in the blank: Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and ______ them based on given criteria.
[forwarding or discarding]
35
What do standard ACLs filter?
Standard ACLs filter at Layer 3 using the source IPv4 address only.
## Footnote
Standard ACLs provide basic filtering capabilities.
36
What additional features do extended ACLs provide compared to standard ACLs?
Extended ACLs filter at Layer 3 using the source and/or destination IPv4 address and can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information.
## Footnote
Extended ACLs allow for more granular control over network traffic.
37
What do ACLs define?
The set of rules that give added control for packets that enter inbound interfaces, relay through the router, and exit outbound interfaces of the router.
38
Can ACLs be configured for both inbound and outbound traffic?
Yes, ACLs can be configured to apply to both inbound traffic and outbound traffic.
39
Do ACLs act on packets that originate from the router itself?
No, ACLs do not act on packets that originate from the router itself.
40
What is the purpose of an inbound ACL?
Filters packets before they are routed to the outbound interface
## Footnote
Inbound ACLs are efficient as they save routing lookup overhead if packets are discarded.
41
How does an inbound ACL handle permitted packets?
Permitted packets are processed for routing
## Footnote
This allows the packet to proceed through the network.
42
When are inbound ACLs most effectively used?
When the network attached to an inbound interface is the only source of packets that need to be examined
## Footnote
This ensures focused filtering of relevant traffic.
43
What is the function of an outbound ACL?
Filters packets after they have been routed, regardless of the inbound interface
## Footnote
Outbound ACLs apply rules to traffic exiting the network.
44
How are incoming packets processed in relation to outbound ACLs?
Incoming packets are routed to the outbound interface and then processed through the outbound ACL
## Footnote
This means outbound ACLs evaluate packets after routing decisions have been made.
45
When are outbound ACLs best utilized?
When the same filter will be applied to packets from multiple inbound interfaces before exiting the same outbound interface
## Footnote
This allows for centralized filtering of outgoing traffic.
46
What is the first step when an ACL is applied to an interface?
The router extracts the source IPv4 address from the packet header.
47
What does the router do after extracting the source IPv4 address?
The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a sequential order.
48
What happens when a match is made between the source IPv4 address and an ACE?
The router carries out the instruction, either permitting or denying the packet, and the remaining ACEs in the ACL are not analyzed.
49
What occurs if the source IPv4 address does not match any ACEs in the ACL?
The packet is discarded due to an implicit deny ACE automatically applied to all ACLs.
50
What does ACE stand for in the context of ACL?
Access Control Entry
51
What is the last ACE statement of an ACL?
An implicit deny that blocks all traffic
## Footnote
This statement is automatically implied at the end of an ACL but is hidden and not displayed in the configuration.
52
What happens if an ACL does not have any permit statements?
All traffic will be denied due to the implicit deny ACE statement
## Footnote
An ACL must have at least one permit statement to allow traffic.
53
What are the permit or deny statements in an ACL called?
Access control entries
## Footnote
Access control entries (ACEs) are the individual rules that determine the permissions for accessing resources.
54
Fill in the blank: Extended ACLs filter at _______.
Layer 3 and Layer 4
## Footnote
This allows for more granular control over network traffic.
55
Fill in the blank: Standard ACLs filter at _______.
Layer 3
## Footnote
They are limited to filtering based on source addresses.
56
# Question
What does an IPv4 ACE use to determine which bits of the address to examine for a match?
Wildcard Mask
57
How does a wildcard mask match bit values in an address?
Think about what binary value is a match, and which isn't.
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
| 0.0.0.0 would match all octets. 0.0.255.255 would match the first two
58
# Question
What would the meaning be of the wildcard mask 0.0.0.15 ?
| Think about what 15 is in binary, and whether a 1 or a 0 is a match
0.0.0.15 = All 0's in the first three octets, and then 00001111 in the last octet.
* Match the first three octets
* Match the four left most bits of the last octet
* Ignore the last 4 bits of the last octet.
59
# What would the following IOS command achieve?
access-list 10 permit 192.168.1.1 0.0.0.0
It would create an ACE numbered 10, that allows traffic from 192.168.1.1 only.
| access-list [ACL number] [permit/deny] [source] [wildcard]
60
# What would the following IOS command achieve?
access-list 10 permit 192.168.1.0 0.0.0.255
It would create an ACE numbered 10, that allows traffic from the entire 192.168.1.0/24 network.
61
# What would the following IOS command acheive?
access-list 10 permit 192.168.16.0 0.0.15.255
It would create an ACE numbered 10, that allows traffic from all the hosts in the 192.168.16.0/24 to the 192.168.31.0/24 networks.
## Footnote
Here’s what happens:
* The router checks the first two octets (192.168.) and sees they must match exactly.
* For the third octet, the router allows any value from 16 (00010000) to 31 (00011111), because the wildcard mask (15 or 00001111) allows variation in the last 4 bits.
* The fourth octet is entirely ignored (255 or 11111111), meaning it permits all host addresses within each subnet.
62
# Question
What is a shortcut for calculating a wildcard mask?
Subtract the subnet mask from 255.255.255.255
63
# Question
Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.1.0/24 network.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?
1. Take the starting value of 255.255.255.255
2. Subtract the subnet mask 255.255.255.0
3. Resulting wildcard mask is 0.0.0.255
4. IOS command `access-list 10 permit 192.168.1.0 0.0.0.255`
64
# Question
Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.1.32/28 network.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?
1. Take the starting value of 255.255.255.255
2. Calculate the subnet mask. A /28 network means 11110000 in the last octet, which is 128 + 64 + 32 + 16 = 240
3. 255.255.255.255 - 255.255.255.240 = 0.0.0.15 wildcard mask.
4. IOS command `access-list 10 permit 192.168.1.32 0.0.0.15`
65
# Question
Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.10.0 and 192.168.11.0 networks.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?
1. Take the starting value of 255.255.255.255
2. Calculate the subnet mask. 12.168.10.0 and 192.168.11.0 share the subnet mask of 255.255.254.0
3. 255.255.255.255 - 255.255.254.0 = 0.0.1.255 wildcard mask.
4. IOS command `access-list 10 permit 192.168.10.0 0.0.1.255`
66
# Question
Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.16.0/24 to the 192.168.31.0/24 networks.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?
1. Calculate the wildcard mask, by noting the non-changing parts of the IP address with `0`, the range of the partially variable octet by subtracting them (31-16 = `15`), and then setting the variable octets to `255` = `0.0.15.255`
4. IOS command `access-list 10 permit 192.168.16.0 0.0.15.255`
67
# Question
What does the Wildcard Mask Keyword 'host' substitute for?
How would it be used to create an ACE?
Host substitutes for a wildcard mask of 0.0.0.0 meaning just the one host matches.
`access-list 10 permit host 192.168.1.10` and `access-list 10 permit 192.168.1.10 0.0.0.0` are functionaly identical.
68
What does the Wildcard Mask Keyword 'host' substitute for?
How would it be used to create an ACE?
Any substitutes for a wildcard mask of 255.255.255.255 accepts every address.
`access-list 10 permit any` and `access-list 10 permit 0.0.0.0 255.255.255.255` are functionaly identical.
69
# Question
Which wildcard mask would permit only host 10.10.10.1?
0.0.0.0
| Or `host` substitute
70
# Question
Which wildcard mask would permit only hosts from the 10.10.0.0/16 network?
0.0.255.255
71
# Question
Which wildcard mask would permit all hosts?
255.255.255.255
| Or `any` substitute
72
# Question
Which wildcard mask would permit all hosts from the 192.168.10.0/24 network?
0.0.0.255
73
# Question
How many ACLs can a router interface have?
Four.
1. Inbound IPv4 ACL
2. Outbound IPv4 ACL
3. Inbound IPv6 ACL
4. Outbound IPv6 ACL
| Not all devices need both inbound and outbound ACLs
## Footnote
Remember this is *per interface* so a single router may have many more than four in total.
74
# Question
Why should great care be taken when adding or modifying ACLs?
Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service.
75
# Describe the benefit of the ACL guideline
Basing ACLs on the organisational security policies
To ensure that security policies are being met.
76
# Describe the benefit of the ACL guideline
Write out in plain language what you want the ACL to do.
To help you ensure the ACL is going to do what you want and prevent inadvertently creating access problems.
77
# Describe the benefit of the ACL guideline
Use a text editor to create, edit, and save all of your ACLs in a single location.
For documentation purposes and to create a library of reusable ACLs.
78
# Describe the benefit of the ACL guideline
Document the ACLs using the `remark` command.
This will help you and others later understand the purpose of an ACE.
79
# Describe the benefit of the ACL guideline
Test the ACLs on a development network before implementing them on a production network.
To avoid costly errors in a live environment.
80
# Question
Look at the following ACL, is it a Standard or Extended ACL? Why?
`access-list 10 permit 192.168.10.0 0.0.0.255`
What would it achieve?
It is a standard ACL because it only permits/denies based on the source IPv4 address.
It would permit all hosts on the source network 192.168.10.0/24.
## Footnote
Because of the implied "deny any" ACE at the end of every ACL all other traffic would be blocked.
81
# Question
Look at the following ACL, is it a Standard or Extended ACL? Why?
`access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq www`
What would it acheive?
It is an extended ACL because it uses Layer 4 protocol information to permit/deny traffic.
It would permit all hosts on the 192.168.10.0/24 network to send traffic to any destination host on port 80 (www)
## Footnote
Because of the implied "deny any" ACE at the end of every ACL all other traffic would be blocked.
82
# Question
What ACL numbers are for standard ACLs?
1-99 and 1300-1999
83
# Question
What ACL numbers are used for extended ACLs?
100-19 and 2000-2699
84
# Question
Which is the preferred method, numbered ACLs or named ACLs?
Why?
Named ACLs because they are clearer in purpose
85
# Question
What IOS command is used to create a named ACL?
`ip access-list [standard/extended] [acl-name]`
| e.g. `ip access-list extended FTP-FILTER`
86
# Question
What IOS command would be needed to create a named extended ACL called FTP-FILTER?
`ip access-list extended FTP-FILTER`
87
# Question
Once we have created a named extended ACL called FTP-FILTER what command would configure it to allow FTP traffic from any host in the 192.168.10.0/24 network to any destination?
`permit tcp 192.168.10.0 0.0.0.255 any eq ftp`
## Footnote
You can't use the | pipe to allow multiple different traffic types like `ftp|ftp-data`
88
# Question
We have created a named ACL called FTP-FILTER and configured it to allow FTP traffic from any host in the 192.168.10.0/24 network to any destination.
How would we also allow FTP-DATA traffic?
Add another permit statement, with the traffic type set to ftp-data
`permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data`
## Footnote
You can't use the | pipe to allow multiple different traffic types like `ftp|ftp-data`
89
# Question
Where in the network should you place ACLs?
| Think about more than just the device name
* The router where it will have the greatest impact on efficiency.
* Try to place ACLs to reduce unwanted traffic, by filtering it close to the source where possible, rather than allowing it to be sent through the network only to be denied near the destination.
90
# Question
Where should Extended ACLs typically be placed?
Extended ACLs tend to be configured close to the *source*
91
# Question
Where should Standard ACLs typically be placed?
Standard ACLs tend to be configured close to the *destination*
92
# Question
We want to create an ACL that blocks all traffic from 192.168.10.0/24 to 192.168.30.0/24.
Typically which interface should have this ACL configured?
As a standard ACL, it should be placed close to the *destination*.
In this case, preferably the router interface that connects only to the 192.168.30.0/24 network.
93
# Question
Which ACL is capable of filtering based on TCP port number?
Extended ACL
94
# True or False?
Numbered ACLs is the preferred method to use when configuring ACLs
False. Named ACLs are preferred.
95
# True or False?
Named ACLs can be standard or extended
True.
96
What is the purpose of ACLs?
ACLs are used to identify traffic by filtering packets based on packet header information.
97
What is an ACL?
A series of IOS commands used to filter packets.
98
What does a router do if no ACLs are configured by default?
The router does not perform any packet filtering.
99
What happens when an ACL is applied to an interface?
The router evaluates all network packets as they pass through the interface.
100
What are permit or deny statements in an ACL called?
Access Control Entries (ACEs).
101
What types of ACLs do Cisco routers support?
Standard ACLs and extended ACLs.
102
What is the function of an inbound ACL?
Filters packets before they are routed to the outbound interface.
103
What does an outbound ACL do?
Filters packets after they are routed, regardless of the inbound interface.
104
What is the first step in the filtering process when an ACL is applied to an interface?
The router extracts the source IPv4 address from the packet header.
105
How does a router process an ACL?
It compares the source IPv4 address to each ACE in sequential order.
106
What happens if a match is made in an ACL?
The router either permits or denies the packet and does not analyze remaining ACEs.
107
What occurs if the source IPv4 address does not match any ACEs?
The packet is discarded due to an implicit deny ACE.
108
What is a wildcard mask?
A 32-bit mask used to determine which bits of an IPv4 address to examine for a match.
109
How does a wildcard mask differ from a subnet mask?
It matches binary 1s and 0s differently; bit 0 matches, bit 1 ignores.
110
What is the shortcut to calculate a wildcard mask?
Subtract the subnet mask from 255.255.255.255.
111
What keywords simplify working with wildcard masks in Cisco IOS?
Keywords 'host' and 'any'.
112
Fill in the blank: A wildcard mask is used to filter traffic for _______.
[one host, one subnet, a range of IPv4 addresses]
113
True or False: A wildcard mask can only be used for routing protocols.
False.
114
What is the limit on the number of ACLs that can be applied on a dual-stacked router interface?
Up to four ACLs can be applied: one outbound IPv4 ACL, one inbound IPv4 ACL, one inbound IPv6 ACL, and one outbound IPv6 ACL.
115
What basic planning is required before configuring an ACL?
The planning includes:
* Base ACLs on the organizational security policies
* Write out what you want the ACL to do
* Use a text editor to create, edit, and save all of your ACLs
* Document the ACLs using the remark command
* Test the ACLs on a development network before implementing them on a production network.
116
What are the two types of IPv4 ACLs?
Standard ACLs and Extended ACLs.
117
How do Standard ACLs determine whether to permit or deny packets?
Based only on the source IPv4 address.
118
What additional criteria do Extended ACLs use to permit or deny packets?
Based on the source IPv4 address, destination IPv4 address, protocol type, source and destination TCP or UDP ports, and more.
119
What is the range of ACL numbers for Standard ACLs?
1 to 99, or 1300 to 1999.
120
What is the range of ACL numbers for Extended ACLs?
100 to 199, or 2000 to 2699.
121
What is the preferred method for configuring ACLs?
Using named ACLs.
122
What are the rules for naming ACLs?
The rules are:
* Assign a name to identify the purpose of the ACL
* Names can contain alphanumeric characters
* Names cannot contain spaces or punctuation
* Suggested to write the name in CAPITAL LETTERS
* Entries can be added or deleted within the ACL.
123
Where should Extended ACLs be located for maximum efficiency?
As close as possible to the source of the traffic to be filtered.
124
Where should Standard ACLs be located for maximum efficiency?
As close to the destination as possible.
125
True or False: ACLs must be configured in both directions.
False.
126
Fill in the blank: Every ACL should be placed where it has the greatest impact on _______.
[efficiency]
127
What factors may influence the placement of an ACL?
The extent of organizational control, bandwidth of the networks, and ease of configuration.
