12 - IP ACLs

Question 1

How many bytes in a UDP header?

Answer 1

8

Question 2

How many bytes in a TCP header?

Answer 2

20

Question 3

What port does DNS use?

Answer 3

Port 53

Question 4

What IP ACLs only match on the Source IP?

Answer 4

Standard ACLs

Question 5

What two points in a device are ACLs applied?

Answer 5

Either entering or exiting interface

Question 6

What is the range for Standard numbered ACLs?

Answer 6

1 - 99

Question 7

What is the range for Extended numbered ACLs?

Answer 7

100 - 199

Question 8

What is the range for both Standard and Extended ‘Additional’ ACLs?

Answer 8

Standard: 1300-1999
Extended: 2000-2699

Question 9

What is the difference between Numbered and Named ACLs with respect to configuration commands?

Answer 9

Numbered ACLs can be configured with Global commands

Named ACLs are configured with sub-commands

Question 10

What statement is implicitly at the end of all ACLs?

Answer 10

Deny all

Question 11

How would you configure a standard IP access list to allow a given subnet?

Answer 11

access-list 99 permit 10.1.1.0 0.0.0.255

Question 12

How would you match any and all packets with an ACL command?

Answer 12

access-list 1 permit any

access-list 1 deny any

Question 13

Why would you want to configure an explicit deny any rule?

Answer 13

So that you can see the counter for how many packets are matched by it, which is not possible using the implicit deny any rule

Question 14

Where should standard ACLs be placed and why?

Answer 14

As close to the destination as possible so that they don’t unintentionally discard packets that shouldn’t be discarded

Question 15

What command is used to actually enable the ACL on a chosen interface?

Answer 15

Interface subcommand:

ip access-group 99 in | out

Question 16

How can you show a list of IPv4 ACLs?

Answer 16

show ip access-lists

Question 17

How can you see ACLs active on a given interface?

Answer 17

show ip interface g0/0

Question 18

What is the difference between the commands:
show ip access-lists
and
show access-lists

Answer 18

The show access-lists command also lists other types of ACLs such as IPv6 etc

Question 19

True/False: Packets created by the router itself are filtered by ACLs

Answer 19

False.

A router does not filter packets it created itself with an Outbound ACL. E.g. routing protocol messages, ping packets, etc

Question 20

How do you enable log messages for ACL statistics?

Answer 20

Append the log directive to the end of ACL rule commands

access-list 2 permit 10.1.1.1 log

Question 21

What are the 3 ‘matching’ parameters that extended ACL access-list commands require?

Answer 21

• Protocol Type
• Source IP
• Destination IP

Question 22

What is a key difference between standard and extended ACLs when matching a specific IP address?

Answer 22

Extended ACLs require you to use the ‘host’ keyword

Question 23

How do you use extended ACL access-list command only specifying the minimum required matching parameters?

Answer 23

access-list 101 permit tcp any 10.1.1.0 0.0.0.255

access-list 101 permit ip any any

Question 24

What are all the possible port matching modifiers for extended ACLs?

Answer 24

eq
ne
lt
gt
range

Question 25

How would you make an extended ACL entry using ports specified as well?

Answer 25

access-list 101 permit ip any eq 443 host 10.1.1.1

Question 26

With respects to network layout and design, where should you place extended ACLs?

Answer 26

As close as possible to the source of packets that are to be filtered. This saves bandwidth.

Question 27

What is the difference between standard and extended ACLs with respect to placement location in the network?

Answer 27

Standard ACLs should be as close to the destination as possible to avoid discarding packets they’re not intended to.

Extended ACLs should be placed as close to the source as possible, which saves bandwidth

Question 28

How do you add a comment to a ACL?

Answer 28

access-list 101 remark Deny traffic from Server A to DNS servers

Question 29

What port range is considered dynamic ports?

Answer 29

49152 - 65535

Question 30

How do you make a named ACL?

Answer 30

ip access-list {standard | extended} MyACLName

Question 31

How can you remove lines from a named ACL without sequence numbers?

Answer 31

no deny ip 10.1.2.0 0.0.0.255 host 10.2.3.1

Question 32

True/False: IOS adds sequence number to commands as you configure them, even if you do not include the sequence numbers

Answer 32

True

Question 33

How do you add or remove ACL commands using sequence numbers?

Answer 33

ACL Subcommands

no 20
5 deny 10.1.1.1

Question 34

What should you do before making changes to an ACL?

Answer 34

Disable an ACL from its interface

Question 35

How do you disable an ACL from it’s interface?

Answer 35

Interface sub-command

no ip access-group 10