Module 4: ACL Concepts

Question 1

What do routers make routing decisions based on?

Answer 1

Information in the packet header

Question 2

How is traffic routed when entering a router interface?

Answer 2

Solely based on information within the routing table

Question 3

What does the router compare to find the best match for routing?

Answer 3

The destination IP address with routes in the routing table

Question 4

What is the purpose of an access control list (ACL)?

Answer 4

To filter packets based on information found in the packet header

Question 5

By default, do routers have any ACLs configured?

Answer 5

No

Question 6

What happens when an ACL is applied to a router interface?

Answer 6

The router evaluates all network packets as they pass through the interface

Question 7

What is the role of access control entries (ACEs) in an ACL?

Answer 7

A sequential list of permit or deny statements

Question 8

Fill in the blank: An ACL is a series of _______ commands used to filter packets.

Answer 8

lOS

Question 9

True or False: A router forwards packets based on the best match route found in the routing table.

Answer 9

True

Question 10

What are ACEs commonly referred to as?

Answer 10

ACEs are also commonly called ACL statements.

ACL stands for Access Control List.

Question 11

What happens when network traffic passes through an interface configured with an ACL?

Answer 11

The router compares the information within the packet against each ACE, in sequential order.

This is essential for determining if the packet matches one of the ACEs.

Question 12

What is the process called when a router checks packets against ACEs?

Answer 12

Packet filtering.

Packet filtering is crucial for managing network traffic and security.

Question 13

What do several tasks performed by routers require?

Answer 13

The use of ACLs to identify traffic.

ACLs help in controlling the flow of traffic based on defined rules.

Question 14

What is the purpose of limiting in unnecessary network traffic?

Answer 14

To increase network performance

Reducing unnecessary traffic allows for better bandwidth management and improved application responsiveness.

Question 15

What type of high bandwidth traffic is often prohibited by a corporate policy to reduce network load?

Answer 15

Video traffic

Video traffic can consume significant bandwidth, impacting overall network performance.

Question 16

How can a policy to block video traffic be enforced?

Answer 16

Using ACLs (Access Control Lists)

ACLs can specify which types of traffic are allowed or denied on a network.

Question 17

What is traffic flow control?

Answer 17

A corporate policy that requires routing protocol traffic to be limited to certain links only.

Traffic flow control helps manage network efficiency and security.

Question 18

How can a corporate policy be implemented to control routing protocol traffic?

Answer 18

Using ACLs to restrict the delivery of routing updates to only those that come from a known source.

ACLs (Access Control Lists) are used to enhance network security by defining permissions for traffic.

Question 19

What is the basic level of security for network access?

Answer 19

Restricted access to authorized users only

This ensures that only individuals with permission can access sensitive information.

Question 20

What does corporate policy demand regarding access to confidential networks?

Answer 20

Access must be restricted to authorized users only

This policy is crucial for protecting sensitive employee information.

Question 21

How can a policy be enforced to limit access to specified networks?

Answer 21

Using Access Control Lists (ACLs)

ACLs are used to define which users or systems are granted or denied access to specific resources.

Question 22

What does corporate policy require regarding network traffic?

Answer 22

Certain traffic, such as email, must be permitted while other traffic, like Telnet access, must be denied.

This reflects the need to control access and protect network integrity.

Question 23

How can a policy be implemented to filter traffic by type?

Answer 23

Using ACLs (Access Control Lists) to filter traffic.

ACLs are a set of rules that determine what traffic is allowed or denied on a network.

Question 24

True or False: All traffic types should be allowed into a network in order to not impact usability.

Answer 24

False

Some traffic must be denied, such as Telnet access because it’s not secure.

Question 25

Fill in the blank: A policy can be implemented using _______ to filter traffic by type.

Answer 25

ACLs

ACLs help in managing network security by controlling traffic flow.

Question 26

What is the purpose of a screen host?

Answer 26

To permit or deny access to network services

Screen hosts act as a gatekeeper for network access.

Question 27

What must be considered when it comes to permitting or denying access to certain file types?

Answer 27

Access to some file types (e.g., FTP or HTTP) must be limited to user groups yet available to others.

This ensures that only authorised users can access sensitive or specific file types.

Question 28

How can a policy be implemented to control user access to services?

Answer 28

Using ACLs (Access Control Lists) to filter user access

ACLs are a common method for defining who can access what resources in a network.

Question 29

Fill in the blank: Corporate policy often requires that access to some file types be limited to _______.

Answer 29

Authorised user groups

This is aimed at protecting sensitive information from unauthorised access.

Question 30

What is the purpose of providing priority to certain classes of network traffic?

Answer 30

To ensure that critical traffic, like voice traffic, is forwarded as fast as possible to avoid interruptions.

Question 31

How can a policy be implemented to prioritize voice traffic?

Answer 31

Using ACLs and QoS services

Question 32

What is packet filtering?

Answer 32

Packet filtering controls access to a network by analyzing incoming and/or outgoing packets and forwarding or discarding them based on given criteria.

Question 33

At which OSI layers does packet filtering occur?

Answer 33

Packet filtering can occur at Layer 3 and Layer 4.

Question 34

Fill in the blank: Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and ______ them based on given criteria.

Answer 34

[forwarding or discarding]

Question 35

What do standard ACLs filter?

Answer 35

Standard ACLs filter at Layer 3 using the source IPv4 address only.

Standard ACLs provide basic filtering capabilities.

Question 36

What additional features do extended ACLs provide compared to standard ACLs?

Answer 36

Extended ACLs filter at Layer 3 using the source and/or destination IPv4 address and can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information.

Extended ACLs allow for more granular control over network traffic.

Question 37

What do ACLs define?

Answer 37

The set of rules that give added control for packets that enter inbound interfaces, relay through the router, and exit outbound interfaces of the router.

Question 38

Can ACLs be configured for both inbound and outbound traffic?

Answer 38

Yes, ACLs can be configured to apply to both inbound traffic and outbound traffic.

Question 39

Do ACLs act on packets that originate from the router itself?

Answer 39

No, ACLs do not act on packets that originate from the router itself.

Question 40

What is the purpose of an inbound ACL?

Answer 40

Filters packets before they are routed to the outbound interface

Inbound ACLs are efficient as they save routing lookup overhead if packets are discarded.

Question 41

How does an inbound ACL handle permitted packets?

Answer 41

Permitted packets are processed for routing

This allows the packet to proceed through the network.

Question 42

When are inbound ACLs most effectively used?

Answer 42

When the network attached to an inbound interface is the only source of packets that need to be examined

This ensures focused filtering of relevant traffic.

Question 43

What is the function of an outbound ACL?

Answer 43

Filters packets after they have been routed, regardless of the inbound interface

Outbound ACLs apply rules to traffic exiting the network.

Question 44

How are incoming packets processed in relation to outbound ACLs?

Answer 44

Incoming packets are routed to the outbound interface and then processed through the outbound ACL

This means outbound ACLs evaluate packets after routing decisions have been made.

Question 45

When are outbound ACLs best utilized?

Answer 45

When the same filter will be applied to packets from multiple inbound interfaces before exiting the same outbound interface

This allows for centralized filtering of outgoing traffic.

Question 46

What is the first step when an ACL is applied to an interface?

Answer 46

The router extracts the source IPv4 address from the packet header.

Question 47

What does the router do after extracting the source IPv4 address?

Answer 47

The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a sequential order.

Question 48

What happens when a match is made between the source IPv4 address and an ACE?

Answer 48

The router carries out the instruction, either permitting or denying the packet, and the remaining ACEs in the ACL are not analyzed.

Question 49

What occurs if the source IPv4 address does not match any ACEs in the ACL?

Answer 49

The packet is discarded due to an implicit deny ACE automatically applied to all ACLs.

Question 50

What does ACE stand for in the context of ACL?

Answer 50

Access Control Entry

Question 51

What is the last ACE statement of an ACL?

Answer 51

An implicit deny that blocks all traffic

This statement is automatically implied at the end of an ACL but is hidden and not displayed in the configuration.

Question 52

What happens if an ACL does not have any permit statements?

Answer 52

All traffic will be denied due to the implicit deny ACE statement

An ACL must have at least one permit statement to allow traffic.

Question 53

What are the permit or deny statements in an ACL called?

Answer 53

Access control entries

Access control entries (ACEs) are the individual rules that determine the permissions for accessing resources.

Question 54

Fill in the blank: Extended ACLs filter at _______.

Answer 54

Layer 3 and Layer 4

This allows for more granular control over network traffic.

Question 55

Fill in the blank: Standard ACLs filter at _______.

Answer 55

Layer 3

They are limited to filtering based on source addresses.

Question 56

Question

What does an IPv4 ACE use to determine which bits of the address to examine for a match?

Answer 56

Wildcard Mask

Question 57

How does a wildcard mask match bit values in an address?
Think about what binary value is a match, and which isn’t.

Answer 57

Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.

0.0.0.0 would match all octets. 0.0.255.255 would match the first two

Question 58

Question

What would the meaning be of the wildcard mask 0.0.0.15 ?

Think about what 15 is in binary, and whether a 1 or a 0 is a match

Answer 58

0.0.0.15 = All 0’s in the first three octets, and then 00001111 in the last octet.
* Match the first three octets
* Match the four left most bits of the last octet
* Ignore the last 4 bits of the last octet.

Question 59

What would the following IOS command achieve?

access-list 10 permit 192.168.1.1 0.0.0.0

Answer 59

It would create an ACE numbered 10, that allows traffic from 192.168.1.1 only.

access-list [ACL number] [permit/deny] [source] [wildcard]

Question 60

What would the following IOS command achieve?

access-list 10 permit 192.168.1.0 0.0.0.255

Answer 60

It would create an ACE numbered 10, that allows traffic from the entire 192.168.1.0/24 network.

Question 61

What would the following IOS command acheive?

access-list 10 permit 192.168.16.0 0.0.15.255

Answer 61

It would create an ACE numbered 10, that allows traffic from all the hosts in the 192.168.16.0/24 to the 192.168.31.0/24 networks.

Here’s what happens:
* The router checks the first two octets (192.168.) and sees they must match exactly.
* For the third octet, the router allows any value from 16 (00010000) to 31 (00011111), because the wildcard mask (15 or 00001111) allows variation in the last 4 bits.
* The fourth octet is entirely ignored (255 or 11111111), meaning it permits all host addresses within each subnet.

Question 62

Question

What is a shortcut for calculating a wildcard mask?

Answer 62

Subtract the subnet mask from 255.255.255.255

Question 63

Question

Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.1.0/24 network.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?

Answer 63

1. Take the starting value of 255.255.255.255
2. Subtract the subnet mask 255.255.255.0
3. Resulting wildcard mask is 0.0.0.255
4. IOS command access-list 10 permit 192.168.1.0 0.0.0.255

Question 64

Question

Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.1.32/28 network.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?

Answer 64

1. Take the starting value of 255.255.255.255
2. Calculate the subnet mask. A /28 network means 11110000 in the last octet, which is 128 + 64 + 32 + 16 = 240
3. 255.255.255.255 - 255.255.255.240 = 0.0.0.15 wildcard mask.
4. IOS command access-list 10 permit 192.168.1.32 0.0.0.15

Question 65

Question

Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.10.0 and 192.168.11.0 networks.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?

Answer 65

1. Take the starting value of 255.255.255.255
2. Calculate the subnet mask. 12.168.10.0 and 192.168.11.0 share the subnet mask of 255.255.254.0
3. 255.255.255.255 - 255.255.254.0 = 0.0.1.255 wildcard mask.
4. IOS command access-list 10 permit 192.168.10.0 0.0.1.255

Question 66

Question

Assume you wanted an ACE in ACL 10 to permit all users in the 192.168.16.0/24 to the 192.168.31.0/24 networks.
How would you calculate the wildcard mask required?
What IOS command would you use to add it?

Answer 66

1. Calculate the wildcard mask, by noting the non-changing parts of the IP address with 0, the range of the partially variable octet by subtracting them (31-16 = 15), and then setting the variable octets to 255 = 0.0.15.255
2. IOS command access-list 10 permit 192.168.16.0 0.0.15.255

Question 67

Question

What does the Wildcard Mask Keyword ‘host’ substitute for?
How would it be used to create an ACE?

Answer 67

Host substitutes for a wildcard mask of 0.0.0.0 meaning just the one host matches.
access-list 10 permit host 192.168.1.10 and access-list 10 permit 192.168.1.10 0.0.0.0 are functionaly identical.

Question 68

What does the Wildcard Mask Keyword ‘host’ substitute for?
How would it be used to create an ACE?

Answer 68

Any substitutes for a wildcard mask of 255.255.255.255 accepts every address.
access-list 10 permit any and access-list 10 permit 0.0.0.0 255.255.255.255 are functionaly identical.

Question 69

Question

Which wildcard mask would permit only host 10.10.10.1?

Answer 69

0.0.0.0

Or host substitute

Question 70

Question

Which wildcard mask would permit only hosts from the 10.10.0.0/16 network?

Answer 70

0.0.255.255

Question 71

Question

Which wildcard mask would permit all hosts?

Answer 71

255.255.255.255

Or any substitute

Question 72

Question

Which wildcard mask would permit all hosts from the 192.168.10.0/24 network?

Answer 72

0.0.0.255

Question 73

Question

How many ACLs can a router interface have?

Answer 73

Four.
1. Inbound IPv4 ACL
2. Outbound IPv4 ACL
3. Inbound IPv6 ACL
4. Outbound IPv6 ACL

Not all devices need both inbound and outbound ACLs

Remember this is per interface so a single router may have many more than four in total.

Question 74

Question

Why should great care be taken when adding or modifying ACLs?

Answer 74

Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service.

Question 75

Describe the benefit of the ACL guideline

Basing ACLs on the organisational security policies

Answer 75

To ensure that security policies are being met.

Question 76

Describe the benefit of the ACL guideline

Write out in plain language what you want the ACL to do.

Answer 76

To help you ensure the ACL is going to do what you want and prevent inadvertently creating access problems.

Question 77

Describe the benefit of the ACL guideline

Use a text editor to create, edit, and save all of your ACLs in a single location.

Answer 77

For documentation purposes and to create a library of reusable ACLs.

Question 78

Describe the benefit of the ACL guideline

Document the ACLs using the remark command.

Answer 78

This will help you and others later understand the purpose of an ACE.

Question 79

Describe the benefit of the ACL guideline

Test the ACLs on a development network before implementing them on a production network.

Answer 79

To avoid costly errors in a live environment.

Question 80

Question

Look at the following ACL, is it a Standard or Extended ACL? Why?
access-list 10 permit 192.168.10.0 0.0.0.255
What would it achieve?

Answer 80

It is a standard ACL because it only permits/denies based on the source IPv4 address.
It would permit all hosts on the source network 192.168.10.0/24.

Because of the implied “deny any” ACE at the end of every ACL all other traffic would be blocked.

Question 81

Question

Look at the following ACL, is it a Standard or Extended ACL? Why?
access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq www
What would it acheive?

Answer 81

It is an extended ACL because it uses Layer 4 protocol information to permit/deny traffic.
It would permit all hosts on the 192.168.10.0/24 network to send traffic to any destination host on port 80 (www)

Because of the implied “deny any” ACE at the end of every ACL all other traffic would be blocked.

Question 82

Question

What ACL numbers are for standard ACLs?

Answer 82

1-99 and 1300-1999

Question 83

Question

What ACL numbers are used for extended ACLs?

Answer 83

100-19 and 2000-2699

Question 84

Question

Which is the preferred method, numbered ACLs or named ACLs?
Why?

Answer 84

Named ACLs because they are clearer in purpose

Question 85

Question

What IOS command is used to create a named ACL?

Answer 85

ip access-list [standard/extended] [acl-name]

e.g. ip access-list extended FTP-FILTER

Question 86

Question

What IOS command would be needed to create a named extended ACL called FTP-FILTER?

Answer 86

ip access-list extended FTP-FILTER

Question 87

Question

Once we have created a named extended ACL called FTP-FILTER what command would configure it to allow FTP traffic from any host in the 192.168.10.0/24 network to any destination?

Answer 87

permit tcp 192.168.10.0 0.0.0.255 any eq ftp

You can’t use the | pipe to allow multiple different traffic types like ftp|ftp-data

Question 88

Question

We have created a named ACL called FTP-FILTER and configured it to allow FTP traffic from any host in the 192.168.10.0/24 network to any destination.
How would we also allow FTP-DATA traffic?

Answer 88

Add another permit statement, with the traffic type set to ftp-data
permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data

You can’t use the | pipe to allow multiple different traffic types like ftp|ftp-data

Question 89

Question

Where in the network should you place ACLs?

Think about more than just the device name

Answer 89

• The router where it will have the greatest impact on efficiency.
• Try to place ACLs to reduce unwanted traffic, by filtering it close to the source where possible, rather than allowing it to be sent through the network only to be denied near the destination.

Question 90

Question

Where should Extended ACLs typically be placed?

Answer 90

Extended ACLs tend to be configured close to the source

Question 91

Question

Where should Standard ACLs typically be placed?

Answer 91

Standard ACLs tend to be configured close to the destination

Question 92

Question

We want to create an ACL that blocks all traffic from 192.168.10.0/24 to 192.168.30.0/24.

Typically which interface should have this ACL configured?

Answer 92

As a standard ACL, it should be placed close to the destination.

In this case, preferably the router interface that connects only to the 192.168.30.0/24 network.

Question 93

Question

Which ACL is capable of filtering based on TCP port number?

Answer 93

Extended ACL

Question 94

True or False?

Numbered ACLs is the preferred method to use when configuring ACLs

Answer 94

False. Named ACLs are preferred.

Question 95

True or False?

Named ACLs can be standard or extended

Answer 95

True.

Question 96

What is the purpose of ACLs?

Answer 96

ACLs are used to identify traffic by filtering packets based on packet header information.

Question 97

What is an ACL?

Answer 97

A series of IOS commands used to filter packets.

Question 98

What does a router do if no ACLs are configured by default?

Answer 98

The router does not perform any packet filtering.

Question 99

What happens when an ACL is applied to an interface?

Answer 99

The router evaluates all network packets as they pass through the interface.

Question 100

What are permit or deny statements in an ACL called?

Answer 100

Access Control Entries (ACEs).

Question 101

What types of ACLs do Cisco routers support?

Answer 101

Standard ACLs and extended ACLs.

Question 102

What is the function of an inbound ACL?

Answer 102

Filters packets before they are routed to the outbound interface.

Question 103

What does an outbound ACL do?

Answer 103

Filters packets after they are routed, regardless of the inbound interface.

Question 104

What is the first step in the filtering process when an ACL is applied to an interface?

Answer 104

The router extracts the source IPv4 address from the packet header.

Question 105

How does a router process an ACL?

Answer 105

It compares the source IPv4 address to each ACE in sequential order.

Question 106

What happens if a match is made in an ACL?

Answer 106

The router either permits or denies the packet and does not analyze remaining ACEs.

Question 107

What occurs if the source IPv4 address does not match any ACEs?

Answer 107

The packet is discarded due to an implicit deny ACE.

Question 108

What is a wildcard mask?

Answer 108

A 32-bit mask used to determine which bits of an IPv4 address to examine for a match.

Question 109

How does a wildcard mask differ from a subnet mask?

Answer 109

It matches binary 1s and 0s differently; bit 0 matches, bit 1 ignores.

Question 110

What is the shortcut to calculate a wildcard mask?

Answer 110

Subtract the subnet mask from 255.255.255.255.

Question 111

What keywords simplify working with wildcard masks in Cisco IOS?

Answer 111

Keywords ‘host’ and ‘any’.

Question 112

Fill in the blank: A wildcard mask is used to filter traffic for _______.

Answer 112

[one host, one subnet, a range of IPv4 addresses]

Question 113

True or False: A wildcard mask can only be used for routing protocols.

Answer 113

False.

Question 114

What is the limit on the number of ACLs that can be applied on a dual-stacked router interface?

Answer 114

Up to four ACLs can be applied: one outbound IPv4 ACL, one inbound IPv4 ACL, one inbound IPv6 ACL, and one outbound IPv6 ACL.

Question 115

What basic planning is required before configuring an ACL?

Answer 115

The planning includes:
* Base ACLs on the organizational security policies
* Write out what you want the ACL to do
* Use a text editor to create, edit, and save all of your ACLs
* Document the ACLs using the remark command
* Test the ACLs on a development network before implementing them on a production network.

Question 116

What are the two types of IPv4 ACLs?

Answer 116

Standard ACLs and Extended ACLs.

Question 117

How do Standard ACLs determine whether to permit or deny packets?

Answer 117

Based only on the source IPv4 address.

Question 118

What additional criteria do Extended ACLs use to permit or deny packets?

Answer 118

Based on the source IPv4 address, destination IPv4 address, protocol type, source and destination TCP or UDP ports, and more.

Question 119

What is the range of ACL numbers for Standard ACLs?

Answer 119

1 to 99, or 1300 to 1999.

Question 120

What is the range of ACL numbers for Extended ACLs?

Answer 120

100 to 199, or 2000 to 2699.

Question 121

What is the preferred method for configuring ACLs?

Answer 121

Using named ACLs.

Question 122

What are the rules for naming ACLs?

Answer 122

The rules are:
* Assign a name to identify the purpose of the ACL
* Names can contain alphanumeric characters
* Names cannot contain spaces or punctuation
* Suggested to write the name in CAPITAL LETTERS
* Entries can be added or deleted within the ACL.

Question 123

Where should Extended ACLs be located for maximum efficiency?

Answer 123

As close as possible to the source of the traffic to be filtered.

Question 124

Where should Standard ACLs be located for maximum efficiency?

Answer 124

As close to the destination as possible.

Question 125

True or False: ACLs must be configured in both directions.

Answer 125

False.

Question 126

Fill in the blank: Every ACL should be placed where it has the greatest impact on _______.

Answer 126

[efficiency]

Question 127

What factors may influence the placement of an ACL?

Answer 127

The extent of organizational control, bandwidth of the networks, and ease of configuration.