Module 5: ACLs for IPv4 Configuration

Question 1

A network administrator configures an ACL with the command
R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255
Which IP address ranges will match this ACL statement?

Answer 1

172.16.0.0 to 172.16.15.255

Question 2

What IOS command is used to create a numbered standard IPv4 ACL?

Answer 2

access-list access-list-number {deny | permit | remark text} source [source-wildcard]

Question 3

What IOS command is used to create a named standard IPv4 ACL?

Answer 3

ip access-list standard {access-list-name}

Question 5

Why is it best practice to name ACLs with all UPPPERCASE?

Answer 5

Because they are case sensitive. Only using uppercase means you’re less likely to create two different ACLs with the same name but different capitalisation.

Question 6

After you create a standard ACL, what must you do next?

Answer 6

Link it to an interface or feature.

Question 7

What IOS command is used to link a standard ACL to an interface?

Answer 7

ip access-group {access-list-number | access-list-name} {in | out}

Question 9

What would the following series of IOS commands accomplish?
~~~
R1(config)# access-list 10
R1(config)# access-list 10 permit host 192.168.10.10
R1(config)# do show access-lists
Standard IP access list 10
10 permit 192.168.10.10
R1(config)#
~~~

Answer 9

Creates a numbered standard ACE which permits host 192.168.10.10 to access any destination.

Because of the implict deny ACE that exists on all ACLs, if this is the only ACE present all other traffic would be blocked

Question 10

What IOS command displays all ACLs?

Answer 10

do show access-list

show run | section access-list also works and shows remarks

Question 11

What IOS commands would apply ACL 10 outbound on the Serial 0/1/0 interface?

There’s more than one command required

Answer 11

interface Serial 0/1/0
ip access-group 10 out
end

Question 12

How can we show remarks statements added to ACLs?

Answer 12

They don’t show up on do show access-list
We have to use show run | section access-list to display it from the running configuration.

Question 13

What series of commands would be necessary to create a named IPv4 standard ACL called PERMIT-ACCESS, which allows host 192.168.10.10 to accesss any destination host?

Answer 13

ip access-list standard PERMIT-ACCESS
permit host 192.168.10.10
We can add a remark with remark ACE permits host 12.168.10.10

Because of the implict deny ACE that exists on all ACLs, if this is the only ACE present all other traffic would be blocked

Question 14

What series of commands would be necessary to create a named IPv4 standard ACL called PERMIT-ACCESS, which allows all hosts on the 192.168.20.0/24 network to accesss any destination host?

Answer 14

ip access-list PERMIT-ACCESS permit 192.168.20.0 0.0.0.255

Question 15

What IOS command could we use to verify an interface called Serial 0/1/0 has an ACL applied to it?

Answer 15

show ip interface Serial 0/1/0
We could filter to just the relevant section with show ip interface Serial 0/1/0 | include access list

Question 16

What are the IOS commands to:
1. Create a named standard ACL called LAN2-FILTER.
2. Create an ACE within it that permits host 192.168.10.10
3. Create an ACE that denys any other traffic
4. Return to global configuration mode

Answer 16

ip access-list standard LAN2-FILTER
permit host 192.168.10.10
deny any
exit

Question 17

What are the IOS commands to:
1. Enter interface g0/0/1
2. Apply a named ACL LAN2-FILTER outbound
3. Return to global configuration mode

Answer 17

interface g0/0/1
ip access-list standard LAN2-FILTER out
exit

Question 18

What are ACL Statistics?
What IOS command displays them?

Answer 18

They show the number of times each ACE has been matched.
show access-lists

Question 19

Why might you create an ACE deny any despite the hidden implicity deny on all ACLs?

Answer 19

To track the number of times access has been denied using ACL statistics.

Question 20

What IOS command resets the ACL Statistics for the named ACL NO-ACCESS?

Answer 20

clear access-list counters NO-ACCESS

Question 21

Typically ACLs filter incoming and outgoing traffic on an interface. What impact would creating an ACL on a vty line have?

Answer 21

It would secure remote administrative access to the device.

Question 22

Why would you typically only ever have a vty line ACL using the in parameter?

Answer 22

Because vty lines are used for remote access and aren’t used for outbound connections.

Question 23

Supoose we have an ACL called ADMIN-HOST that permits only specific IP addresses inbound access.
What IOS commands are required for the following next steps:
1. Enter vty config mode for vty lines 0 15
2. Set the login local method
3. Only allow SSH
4. Apply the ACL ADMIN-HOST

Answer 23

R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# access-class ADMIN-HOST in

Question 24

What IOS command is required to create a Numbered Extended ACL that permits HTTP traffic from the source network 192.168.1.0/24 to the destination 10.0.0.0/8?

Answer 24

access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 eq 80

Question 25

What does the {protocol} parameter of an Extended ACL do?
What are some common keywords?

Answer 25

Sets the matching protocols by name, number or keyword.
Common keywords:

• ip
• tcp
• udp
• icmp

Question 26

What does the operator part of the [operator {port}] parameter of an Extended ACL do?
What are some common keywords?
Give an example of a the full parameter

Answer 26

The operator allows for logical operators to be checked against the port that is listed.
Common keywords:
* lt (less than)
* gt (greater than)
* eq (equal)
* neq (not equal)

eq 8080 matches port 8080

Question 27

How is an Extended ACL applied to an interface?

Answer 27

The same as how a Standard ACL is applied:
~~~
interface {interface-name}
ip access-group {access-list-number | access-list-name} {in | out}
~~~

Question 28

When creating an extended ACL, why are Port Keywords preferred over Port Numbers?
Why might you use a Port Number anyway?

Answer 28

Because they are more easily understood, for example www rather than 80
You might need to use a port number because there is no port keyword, for example HTTPS has no keyword and must be added via the port number 443

Question 29

Is SSH a valid Port Keyword?

Answer 29

No, it must be added using port 22

Question 30

What would the following series of IOS commands achieve?
~~~
R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq www
R1(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 443
R1(config)# interface g0/0/0
R1(config-if)# ip access-group 110 in
R1(config-if)# exit
R1(config)#
~~~

Answer 30

Create two new ACEs in the extended ACL 110.
* The first would allow all hosts in the 192.168.10.0 network to send www (port 80) traffic to any destination.
* The second would allow them to send port 443 (HTTPS) traffic to any destination.

It would then apply the ACL 110 to interface g0/0/0.

Question 31

What IOS command is used to create a named extended ACL?

Answer 31

ip access-list extended {access-list-name}

Question 32

Name the extended ACL port keywords for the following ports:
* DNS
* FTP (both required keywords)
* HTTP

Answer 32

• domain
• ftp and ftp-data
• www

Question 33

What is a TCP Established Extended ACL?
Why might one be used?

Answer 33

An ACL that allows internal traffic to exit the private network and permits a reply from any destination in response.
It is often used to allow things like HTTP traffic to be sent out to remote web servers, then allow the response traffic.

Question 34

What IOS commands are required to make a TCP Established Extended Numbered ACL?

Answer 34

access-list {access-list-number} {permit | deny} tcp {port-number | any} {source-IP} {wildcard-mask} established

Question 35

What IOS command can be used to verify ACLs on an interface?

Answer 35

show ip interface

Question 36

What IOS command can be used to verify the contents of an ACL?

Answer 36

show access-lists

Question 37

What IOS command can be used to verify all settings applied to the device?

Answer 37

show running-config

Question 38

The computers used by the network administrators for a school are on the 10.7.0.0/27 network.

Which two commands are required at minimum to apply an ACL that will ensure only those devices will be allowed Telnet access to the routers?

Answer 38

acccess-list 5 permit 10.7.0.0 0.0.0.31 Creates the ACL
access-class 5 in applies the access list to the vty line

Question 39

Consider the configured access list.
~~~
R1# show access-lists
extended IP access list 100
deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet
deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet
permit ip any any (15 matches)
~~~
What are two characteristics of this access list?

Answer 39

1. Any device on the 10.1.1.0/24 network, except host 10.1.1.2, can telnet to the router with IP 10.1.1.1
2. The access list is applied to an interface and working, because it has matches.

Question 40

Which command will verify the number of packets that are permitted or denied by an ACL that restricts SSH access?

Answer 40

show access-lists

Question 41

Which access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?

Answer 41

access-list 101 permit tcp host 10.1.192.100 eq 4300 host 192.168.30.10 eq www

Question 42

When configuring router security, what is the most effective way to use ACLs to control Telnet traffic that is destined to the router itself?

Answer 42

The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.

Question 43

What packets would match the access control list statement that is shown below?

access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22

Answer 43

SSH traffic from the 172.16.0.0 network to any destination network

Question 44

Consider the access list command applied outbound on a router serial interface.

access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply

What is the effect of applying this access list command?

Answer 44

No traffic will be allowed outbound on the serial interface.

At the end of every extended ACL is an implicty deny ip any any statement.

Question 45

Consider the following output for an ACL that has been applied to a router via the access-class in command. What can a network administrator determine from the output that is shown?

R1# <output omitted>
Standard IP access list 2
10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches)
20 deny any (1 match)

Answer 45

The access-class command is only applied to vty ports, therefore the answer is two devices were able to use SSH or Telnet to gain access to the router.

Question 46

Will the following command configure a standard ACL?

access-list 90 permit host 192.168.10.5

Answer 46

Yes

Question 47

Will the following command configure a standard ACL?

access-list 90 permit 192.168.200.4 host

Answer 47

No, because the host keyword must be placed before the source IP address. Alternatively access-list 90 permit 192.168.200.4 0.0.0.0 could be used.

Question 48

To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?

Answer 48

Echo Reply

Question 49

What two ACEs could be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network?

Answer 49

1. Access-list 100 deny ip host 10.1.1.1 192.168.0.0 0.0.255.255
2. Access-list 100 deny ip 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255

Question 50

An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command correctly applies the ACL?

Answer 50

access-class 1 in

Question 51

What commonly motivates cybercriminals to attack networks as compared to hactivists or state-sponsored hackers?

Answer 51

Financial gain

Question 52

If an asymmetric algorithm uses a public key to encrypt data, what is used to decrypt it?

Answer 52

A private key

Question 53

What is a ping sweep?

Answer 53

A network scanning technique that indicates the live hosts in a range of IP addresses.

Question 54

In what way are zombies used in security attacks?

Answer 54

They are infected machines that carry out a DDoS attack.

Question 55

Which requirement of secure communications is ensured by the implementation of MD5 or SHA hash generating algorithms?​

Answer 55

Integrity

Question 56

Which statement accurately characterizes the evolution of threats to network security?

Answer 56

Internal threats can cause even greater damage than external threats.

Question 57

What wild card mask will match networks 172.16.0.0 through 172.19.0.0?

Answer 57

0.3.255.255

Question 58

Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair?

Answer 58

1. host
2. any

Question 59

Which statement describes a difference between the operation of inbound and outbound ACLs?

Answer 59

Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed.

Question 60

What effect does the no access-list 10 IOS command have?

Answer 60

It removes ACL 10 from the the running configuration.

Question 61

The named ACL “Managers” already exists on the router. What will happen when the network administrator issues the commands below?

ip access-list extendedManagers
deny tcp 192.168.1.0 0.0.0.255 any eq telnet
deny tcp 192.168.1.0 0.0.0.255 any eq www
deny tcp 192.168.1.0 0.0.0.255 any eq ftp

Answer 61

A new extended named ACL called extendedManagers is created, which blocks all hosts in the 192.168.1.0/24 network from using telnet, www, and ftp. It also just implicitly denies all traffic anyway!

However… the question itself is misdirection - it is trying to confuse you into thinking that creating a named ACL with a name similar to an existing one will maybe overwrite it, error, or add the commands to the beginning/end. None of those are true - ACL names are case sensitive so even Managers and MANAGERS could exist as two separate ACLs (a very bad and confusing idea)

Question 62

What can be determined about Telnet packets from the following output?

R1# show access-list MyACL
Extended IP access list MyACL
10 permit tcp host 10.35.80.22 host 10.23.77.101 eq telnet
20 permit tcp host 10.35.80.25 host 10.23.77.101 eq 16100 (14 matches)
30 permit tcp host 10.35.80.25 host 10.23.77.101 eq 17600 (80 matches)

Answer 62

There have been no matches for the only permitted Telnet ACE, therefore there have been no Telnet connections matched through this ACL

Question 63

What will the following ACE achieve?
access-list 101 permit tcp any host 1992.168.1.1 eq 80

Answer 63

Permit any http packets that originate from any network device destined for the web server 192.168.1.1

Question 64

What does the CLI prompt change to after entering the command ip access-list standard aaa from global configuration mode?

Answer 64

Router(config-std-nacl)#