Section 6. Managing Traffic Using Access Lists Flashcards
Q1-What are six common types of IP access lists that can be configured on a Cisco router?
The following are common types of IP access lists: numbered (including standard and extended), named, dynamic, reflexive, and time-based access lists.
Q2-How are access lists processed?
Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not applied to any more access list statements. Because of this, the order of the statements within an access list is significant.
Q3-What is at the end of each access list?
An implicit deny any statement is at the end of each access list. An implicit deny statement denies any packet that is not matched in the access list.
Q4-What criteria do standard IP access lists use to filter packets?
Standard IP access lists filter packets by the source IP address. This results in the packets being permitted or denied for the entire protocol suite based on the source network, subnet, or host IP address.
Because standard IP access lists filter by source address, you should place the access list as close to the destination network as possible. Doing this helps avoid denying unnecessary traffic and ensures that the source still has access to other, nonfiltered destinations.
Q5-What criteria do extended IP access lists use to filter packets?
Extended IP access lists use any combination the source address, destination address, and protocols to filter packets.
If the protocols specified in the extended access lists are TCP or UDP, port numbers can be included in the criteria. If ICMP is the protocol specified, specific ICMP message types can be filtered.
Extended access lists should be placed as close to the source as possible. This prevents unwanted traffic from passing through the network.
Q6-What are the number ranges that define standard and extended IP access lists?
The number ranges that define standard and extended IP access lists are as follows:
Image Standard IP access lists: 1 to 99 and 1300 to 1999 (expanded range)
Image Extended IP access lists: 100 to 199 and 2000 to 2699 (expanded range)
Q7-What are reflexive access lists?
Reflexive access lists allow IP packets to be filtered based on upper-layer session information. They allow outbound traffic and limit inbound traffic in response to sessions that originate from a network inside the router.
Reflexive ACLs contain only temporary entries that are created when a new IP session begins and are removed when the session ends. Reflective ACLs are not applied directly to an interface, but are “nested” within an extended named IP ACL that is applied to an interface.
Q8-What are dynamic access lists?
Dynamic access lists (lock-and-key) dynamically create access list entries on the router to allow a user who has authenticated to the router through Telnet to access resources that are blocked behind the router.
Dynamic access lists depend on the user authenticating to the router and on extended access lists. Considered lock-and-key, the configuration starts with an extended ACL that blocks traffic through the router. A user who wants to traverse through the router is blocked by the extended ACL until he authenticates to the router through Telnet with a username and password. After the user is authenticated, the Telnet connection is dropped, and a single-entry dynamic ACL entry is added to the extended ACL to permit the user to traverse through the router.
Q9-What are time-based access lists?
Time-based ACLs are an enhancement to extended access lists that additionally consider the time of day when making a filtering decision.
Q10-In what two ways can IP access lists be applied to an interface?
IP access lists can be applied inbound or outbound.
Inbound access lists process packets as they enter a router’s interface and before they are routed.
Outbound access lists process packets as they exit a router’s interface and after they are routed.
Inbound access lists, when compared to an outbound access list, conserve CPU processing by filtering packets before being processed against the routing table. Outbound and inbound access lists process packets going into or out of a router, but not traffic originating from the router when the access list is applied to an interface. For the ICND exam, if a question asks which type of access list is more effective—inbound or outbound—the more correct answer would be inbound.
Q11-How any access lists can be applied to an interface on a Cisco router?
Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for different protocols or applied in different directions.
You should first create an access list and then apply it to an interface; an empty access list when applied to an interface permits all traffic. The reason for all traffic being permitted is that the implicit deny does not exist within an ACL until at least one statement is defined.
Q12-What two things must one do to activate an access list?
To activate an access list, you must perform the following steps:
- Create the access list.
- Apply or reference the access list.
Q13-What things should one should consider when configuring access lists?
Things one should consider when configuring access lists are
The ACL type (standard or extended) determines the criteria used for filtering.
Only one ACL per interface, per protocol, per direction is allowed.
Access-list ordering is important during configuration. Poor ordering can create undesired results; therefore, always ensure that specific references to a subnet or network appear before those that are generalized. Also, when possible, place more often matched statements toward the top of an ACL and less frequent ones to the bottom of the list, to help with router CPU processing.
Every ACL needs at least one permit statement because of the implicit “deny any any” at the end of each ACL.
When placing an ACL, place extended ACLs close to the source. Standard ACLs should be placed close to the destination.
An ACL can filter traffic going through a router when the ACL is applied to an interface or traffic to and from the router when the ACL is applied to a VTY line.
By default, all new statements added to an access list are appended to the bottom, before the implicit deny, of the ACL.
When applying an ACL to an interface, consider applying the ACL in the inbound direction to save processing through the routing table.
Q14-What is the IOS command syntax that creates a standard IP access list?
The command syntax that creates a standard IP access list is as follows:
access-list access-list-number {permit | deny} source-address
[wildcard-mask]
For example:
RouterA(config)# access-list 10 deny 192.168.0.0 0.0.0.255
Q15-When implementing access lists, what are wildcard masks?
Wildcard masks define which of the 32 bits in the IP address must be matched.
Wildcards are used with access lists to specify a host, network, or part of a network. In wildcard masks, when binary 0s are present, the corresponding bits in the IP address must match. Wildcard mask bits with a binary value of 1 do not require matching bits within the IP address. For example, if you have an IP address of 172.16.0.0 with a wildcard mask of 0.0.255.255, the first two octets of the IP address must match 172.16, but the last two octets can be in the range of 0 to 255.
