Chapter 32 - Advanced IPv4 Access Control Lists

Question 1

What three fields are required to be input for an Extended ACL statement?

Answer 1

• Protocol Type in the Network header (describes the protocol of the layer 4 traffic encapsulated within)
  - Can also just enter ‘ip’ which covers all IPv4 packets.
  - ICMP also works even though it is layer 3
• Source IP
• Dest IP

Question 2

True or False. The syntax for matching single addresses in ACL statements is the same for Standard ACLs.

Answer 2

False. You must have the word ‘host’ before the address.

Question 3

True or False. Traffic must match all rules of an ACL in order to be caught by it.

Answer 3

True. It won’t catch traffic that has a partial match.

Question 4

What additions to an ACL command can be used to input specific port numbers?

Answer 4

• eq - Equals port number
• Lt - Less than port number
• neq - Not equal to port number
• gt - Greater than port number
• range - Port number x to y

Question 5

True or False. Extended ACLs should be placed as close to the source as possible.

Answer 5

True. This is to stop the traffic having to be processed unnecessarily as it will be stopped before having to traverse the whole network to the destination like standard ACLs.

Question 6

Rules of thumb for Extended ACLs

Answer 6

• Place them as close to the source of the traffic as not to use up unnecessary resources by allowing traffic to be processed by the whole network.
• All fields in an ACE have to match traffic to take effect on it. Partial matches won’t occur.
• Use numbers 100-199 or 2600-2699 inclusive.
• Place more specific statements early in the ACL.
• Disable an ACL from the interface it is on using ‘no ip access-group’ before making changes to it. Then reenable once done.