Volume 2 - Chapter 7: Named and Extended IP ACLs Flashcards
What is the command to configure a named access-list?
ip access-list standard/extended name
What are the 3 rules for naming an access-list?
An named ACL can be created with a name that matches the following:
* Name must begin with an alphabetic character
* Name cannot use spaces or quotations
* Names are case sensitive
What are the 2 ways that an ACE entry can be removed from a named ACL?
By entering “no”, followed by the entire ACE entry:
* no deny 10.1.2.0 0.0.0.255
By entering “no”, followed by the ACE (sequence) number:
* no 20
What commands are required to modify an ACL with the name “Eric” and insert a new ACE into sequence 40 to deny the entire 192.168.192.0 /24 subnet?
ip access-list extended Eric
40 deny 192.168.192.0 0.0.0.255
What is the steps required to remove an ACE entry from a numbered ACL with a sequence of 25?
- Run the command “show access-lists number”
- Find the sequence number that was automatically created by IOS
- Enter in the ACL configuration mode “ip access-list standard number
- Delete the ACE “no sequencenumber
What are the minimum required fields for an extended ACE?
permit/deny protocol sourceIP destinationIP
For example:
permit tcp 192.168.1.0 0.0.0.255
Describe how extended ACLs differ from standard ACLs when matching a single IP address?
Extended ACLs must use one of the following:
* permit ip address 0.0.0.0
* permit ip host address
Standard ACLs support the methods above, but also support just listing the single address without the host or wildcard:
* permit address
What are the options available for matching an application port in an extended ACL?
eq (equals)
ne (not equals)
lt (less than)
gt (greater than)
range (a range of values)
When creating an extended ACL, what is the command to identify FTP data as the application port to match?
eq ftp-data
Port 20/TCP
When creating an extended ACL, what is the command to identify FTP control as the application port to match?
eq ftp
Port 21/TCP
When creating an extended ACL, what is the command to identify telnet as the application port to match?
eq telnet
Port 23/TCP
When creating an extended ACL, what is the command to identify DNS as the application port to match?
eq domain
Port 53/UDP
When creating an extended ACL, what is the command to identify a DHCP server as the application port to match?
eq bootps
Port 67/UDP
When creating an extended ACL, what is the command to identify a DHCP client as the application port to match?
eq bootpc
Port 68/UDP
When creating an extended ACL, what is the command to identify TFTP as the application port to match?
eq tftp
Port 69/UDP
When creating an extended ACL, what is the command to identify SNMP as the application port to match?
eq tftp
Port 161/UDP
When creating an extended ACL, what is the command to identify SMTP as the application port to match?
eq smtp
Port 25/TCP
When creating an extended ACL, what is the command to identify HTTP as the application port to match?
eq www
Port 80/TCP
When creating an extended ACL, what is the command to identify HTTPS as the application port to match?
There is not keyword in IOS currently that supports this. In order to match HTTPs you would have to configure TCP and port 443 manually. For example:
permit tcp any 192.168.0.0 0.0.255.255 eq 443
When creating an extended ACL, what is the command to identify POP3 as the application port to match?
eq pop3
Port 110/TCP
A network engineer enters the following command into the router:
permit tcp any any eq 80
What will be displayed when the engineer prints the current running configuration using “show run”
Since port 80/TCP has a keyword, it will be automatically corrected to the following:
permit tcp any any eq www
What option can be configured at the end of an extended ACE to add a log entry when it is matched by a packet?
log
For example:
access-list 150 deny ip any any log
In order to match a source or destination port in an extended ACL, what options must be configured for the transport protocol?
Either TCP or UDP, for example:
permit tcp any any eq www
permit udp any any eq domain
permit ip any any eq smtp This will not work
In terms of ACL placement within the network. Where are ACLs recommended to be configured?
Extended ACLs should be as close to the source as possible to conserve bandwidth
Standard ACLs should be configured towards the edge of the network to avoid matching too many packets which will cause alot of traffic to be dropped or permitted.