Section 6. Managing Traffic Using Access Lists Flashcards

1
Q

Q1-What are six common types of IP access lists that can be configured on a Cisco router?

A

The following are common types of IP access lists: numbered (including standard and extended), named, dynamic, reflexive, and time-based access lists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Q2-How are access lists processed?

A

Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not applied to any more access list statements. Because of this, the order of the statements within an access list is significant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Q3-What is at the end of each access list?

A

An implicit deny any statement is at the end of each access list. An implicit deny statement denies any packet that is not matched in the access list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Q4-What criteria do standard IP access lists use to filter packets?

A

Standard IP access lists filter packets by the source IP address. This results in the packets being permitted or denied for the entire protocol suite based on the source network, subnet, or host IP address.

Because standard IP access lists filter by source address, you should place the access list as close to the destination network as possible. Doing this helps avoid denying unnecessary traffic and ensures that the source still has access to other, nonfiltered destinations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Q5-What criteria do extended IP access lists use to filter packets?

A

Extended IP access lists use any combination the source address, destination address, and protocols to filter packets.

If the protocols specified in the extended access lists are TCP or UDP, port numbers can be included in the criteria. If ICMP is the protocol specified, specific ICMP message types can be filtered.

Extended access lists should be placed as close to the source as possible. This prevents unwanted traffic from passing through the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Q6-What are the number ranges that define standard and extended IP access lists?

A

The number ranges that define standard and extended IP access lists are as follows:

Image Standard IP access lists: 1 to 99 and 1300 to 1999 (expanded range)

Image Extended IP access lists: 100 to 199 and 2000 to 2699 (expanded range)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Q7-What are reflexive access lists?

A

Reflexive access lists allow IP packets to be filtered based on upper-layer session information. They allow outbound traffic and limit inbound traffic in response to sessions that originate from a network inside the router.

Reflexive ACLs contain only temporary entries that are created when a new IP session begins and are removed when the session ends. Reflective ACLs are not applied directly to an interface, but are “nested” within an extended named IP ACL that is applied to an interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Q8-What are dynamic access lists?

A

Dynamic access lists (lock-and-key) dynamically create access list entries on the router to allow a user who has authenticated to the router through Telnet to access resources that are blocked behind the router.

Dynamic access lists depend on the user authenticating to the router and on extended access lists. Considered lock-and-key, the configuration starts with an extended ACL that blocks traffic through the router. A user who wants to traverse through the router is blocked by the extended ACL until he authenticates to the router through Telnet with a username and password. After the user is authenticated, the Telnet connection is dropped, and a single-entry dynamic ACL entry is added to the extended ACL to permit the user to traverse through the router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Q9-What are time-based access lists?

A

Time-based ACLs are an enhancement to extended access lists that additionally consider the time of day when making a filtering decision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Q10-In what two ways can IP access lists be applied to an interface?

A

IP access lists can be applied inbound or outbound.

Inbound access lists process packets as they enter a router’s interface and before they are routed.

Outbound access lists process packets as they exit a router’s interface and after they are routed.

Inbound access lists, when compared to an outbound access list, conserve CPU processing by filtering packets before being processed against the routing table. Outbound and inbound access lists process packets going into or out of a router, but not traffic originating from the router when the access list is applied to an interface. For the ICND exam, if a question asks which type of access list is more effective—inbound or outbound—the more correct answer would be inbound.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Q11-How any access lists can be applied to an interface on a Cisco router?

A

Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for different protocols or applied in different directions.

You should first create an access list and then apply it to an interface; an empty access list when applied to an interface permits all traffic. The reason for all traffic being permitted is that the implicit deny does not exist within an ACL until at least one statement is defined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Q12-What two things must one do to activate an access list?

A

To activate an access list, you must perform the following steps:

  1. Create the access list.
  2. Apply or reference the access list.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Q13-What things should one should consider when configuring access lists?

A

Things one should consider when configuring access lists are

The ACL type (standard or extended) determines the criteria used for filtering.

Only one ACL per interface, per protocol, per direction is allowed.

Access-list ordering is important during configuration. Poor ordering can create undesired results; therefore, always ensure that specific references to a subnet or network appear before those that are generalized. Also, when possible, place more often matched statements toward the top of an ACL and less frequent ones to the bottom of the list, to help with router CPU processing.

Every ACL needs at least one permit statement because of the implicit “deny any any” at the end of each ACL.

When placing an ACL, place extended ACLs close to the source. Standard ACLs should be placed close to the destination.

An ACL can filter traffic going through a router when the ACL is applied to an interface or traffic to and from the router when the ACL is applied to a VTY line.

By default, all new statements added to an access list are appended to the bottom, before the implicit deny, of the ACL.

When applying an ACL to an interface, consider applying the ACL in the inbound direction to save processing through the routing table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Q14-What is the IOS command syntax that creates a standard IP access list?

A

The command syntax that creates a standard IP access list is as follows:
access-list access-list-number {permit | deny} source-address
[wildcard-mask]
For example:
RouterA(config)# access-list 10 deny 192.168.0.0 0.0.0.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Q15-When implementing access lists, what are wildcard masks?

A

Wildcard masks define which of the 32 bits in the IP address must be matched.

Wildcards are used with access lists to specify a host, network, or part of a network. In wildcard masks, when binary 0s are present, the corresponding bits in the IP address must match. Wildcard mask bits with a binary value of 1 do not require matching bits within the IP address. For example, if you have an IP address of 172.16.0.0 with a wildcard mask of 0.0.255.255, the first two octets of the IP address must match 172.16, but the last two octets can be in the range of 0 to 255.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Q16-What is the Cisco IOS command syntax that creates an extended access list?

A

To create an extended access list in IOS, use the following command:
access-list access-list-number {permit | deny} protocol
source-address
source-wildcard-bits [operator port] destination-address
destination-wildcard-bits
[operator port]
In this syntax, protocol examples include IP, TCP, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and generic routing encapsulation (GRE).

The operator port value can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to) and a TCP or UDP port number.

17
Q

Q17-What does the following access list do?
access-list 110 deny ip host 172.16.0.2 any
access-list 110 permit ip any any

A

The access list denies any traffic from the host 172.16.0.2 and permits all other traffic.

18
Q

Q18-After you create a standard or extended IP access list, how do you apply it to an interface on a Cisco routers?

A

Use the ip access-group interface command, as follows:
ip access-group access-list-number {in | out}
For example:
RouterA(config)# int g0/0/0
RouterA(config-if)# ip access-group 10 in
This applies access list 10 to gigabit interface 0/0/0 as an inbound access list.

19
Q

Q19-What IOS commands will create an extended access list that denies web traffic to network 192.168.10.0/24?

A

To create an extended access list that denies web traffic to network 192.168.10.0, enter the following:
access-list 101 deny tcp any 192.168.10.0 0.0.0.255 eq www
access-list 101 permit ip any any

20
Q

Q20-You have a router that has its Gigabit Ethernet interface G0/0 connected to the network 192.168.1.0/24. As the network administrator, you want to block all Telnet traffic originating from the network 192.168.1.0/24 while permitting all other IP traffic. You create the following access list and apply it to Gigabit interface 0/0:
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 23
After you apply the access list, hosts connected to the router’s Gigabit interface cannot communicate to remote networks. Why might this be?

A

Hosts attached to network 192.168.1.0/24 cannot communicate with remote networks because the access list is denying all IP traffic. At the end of each access list is a deny all statement. Thus access list 101 is not only denying Telnet traffic but is also denying all IP traffic as well. To resolve the problem, the access list needs to be configured as follows:
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 23
access-list 101 permit ip any any

21
Q

Q21-Create a named access lists that only blocks pings from networks 172.16.0.0/22 to host 192.168.0.101.

A

To create a named access list that only blocks pings from networks 172.16.0.0/22 to host 192.168.0.101, enter the following:
ip access-list extended block-ping
deny icmp 172.16.0.0 0.0.3.255 host 192.168.0.101 echo
ip permit any any
When you create a named access list, you use the ip access-list extended name global configuration command. Issuing this command places you in named extended IP access list subcommand mode, which then allows you to enter the access list statements.

22
Q

Q22-Which IOS command will display all the configured access lists on a Cisco router?

A

To display all access lists, enter the show running-config or the show access-list command, as follows:
RouterA# show access-list
Standard IP access list 10
deny 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 101
permit tcp any any eq www
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any
deny tcp 192.168.10.0 0.0.0.255 any eq www
RouterA#

23
Q

Q23-What IOS command can you use to see whether an IP access list is applied to an interface?

A

To determine whether an IP access list is applied to an interface, enter the following command:
show ip interface interface-type interface-number
For example:
RouterA# show ip interface s0
Serial0 is up, line protocol is up
Internet address is 192.168.1.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is 10
Proxy ARP is enabled
Security level is default
Split horizon is enabled
–Text Omitted–