5.6 Access Control Lists

Question 1

Define:

Access Control List (ACL)

Answer 1

A set of rules to filter network traffic.

ACLs control traffic flow based on criteria such as IP address, protocol type, or port numbers. They can be used to permit or deny traffic entering or leaving a network or device.

Question 2

What are the types of Access Control Lists (ACLs)?

Answer 2

• Standard
• Extended

Standard ACLs filter traffic based only on the source IP address.

Extended ACLs can filter traffic based on both source and destination IP addresses, as well as other parameters like protocol types and port numbers.

Question 3

What are the two main ACL actions?

Answer 3

1. Deny
2. Permit

Deny: Blocks packets based on the ACL rules.

Permit: Allows packets to pass if they match the ACL rules.

Question 4

Define:

Standard Numbered ACL

Answer 4

ACL filtering based on source IP address, using numbers 1-99.

Standard ACLs are basic filters and cannot inspect destination IPs, limiting their functionality compared to extended ACLs.

Question 5

Where can an ACL be implemented in a network with two routers?

Answer 5

On any interface in the packet’s flow direction.

ACLs can be applied to any interface handling the packet as it moves in the direction of its flow, encompassing both inbound and outbound interfaces.

Question 6

List the ACL commands that would allow packets from the IP address 192.168.2.5.

Answer 6

1. access-list 1 permit any
2. access-list 1 permit 192.168.2.5
3. access-list 1 permit 192.168.2.0 0.0.0.255

These commands enable the acceptance of packets from the specified host IP or any address within the defined network.

Question 7

Which command is used to display the details of configured access lists?

Answer 7

show access-lists

The command ‘show access-lists’ retrieves and displays the configuration details of access lists, including their rules and parameters.

Question 8

What happens if a packet doesn’t match any ACL rule?

Answer 8

The packet is discarded due to implicit deny

If no ACL rule matches a packet, it is dropped by default due to the implicit deny at the end of the ACL.

Question 9

What command allows all packets on an interface using an ACL?

Answer 9

access-list 1 permit any

This command effectively creates a rule in a standard numbered access list that permits all incoming packets on the specified interface.

Question 10

What is the primary function of IPv4 access control lists (ACL)?

Answer 10

To filter traffic based on defined rules.

ACLs allow network administrators to specify which packets are allowed or denied, enhancing network security and traffic control.

Question 11

What type of IP ACL uses simple logic matching only on the source IP address?

Answer 11

Standard numbered IP ACLs.

Standard ACLs can only match the source IP and are simpler compared to extended ACLs, which can inspect more packet parameters.

Question 12

At which points can ACLs be applied in a router?

Answer 12

Inbound or outbound interfaces.

ACLs can be configured to control traffic at either the entry or exit points of a router interface.

Question 13

Fill in the blanks:

The range of valid numbers for standard numbered IP ACLs is ______ to ______.

Answer 13

1,99

Standard ACLs are identified by numbers 1-99, which are used to match traffic based on the source IP address.

Question 14

Which wildcard mask is most useful for matching all IP packets in subnet 10.1.128.0 with mask 255.255.255.0?

Answer 14

0.0.0.255.

The wildcard mask 0.0.0.255 allows the router to match any IP address within the 10.1.128.0 subnet.

Question 15

Fill in the blank:

A standard numbered IP ACL matches only the source ______ ______ of the packet.

Answer 15

IP address

Standard ACLs match packets solely based on the source IP address, limiting their filtering capabilities compared to extended ACLs.

Question 16

How does a router process packets with an ACL enabled?

Answer 16

It compares each packet against the ACL rules.

ACLs are checked in sequence; the first match found determines whether the packet is allowed or denied.

Question 17

What are the two types of IP ACLs based on naming conventions?

Answer 17

1. Numbered
2. Named

Numbered ACLs (identified by numbers 1-99 or 1300-1999)

Named ACLs (identified by a custom name).

Question 18

True or False:

Extended IP ACLs can match both source and destination IP addresses.

Answer 18

True

Extended ACLs provide more filtering power by allowing both source and destination IP addresses to be evaluated.

Question 19

Fill in the blank:

The implied action at the end of an ACL if no match is found is ______ ______.

Answer 19

Implied deny

ACLs include an implicit deny rule at the end, meaning any unmatched packets are automatically discarded.

Question 20

Which command matches packets sent from hosts in subnet 172.16.4.0/23?

Answer 20

access-list 1 permit 172.16.4.0 0.0.1.255.

This command matches packets within the 172.16.4.0/23 subnet using the wildcard mask 0.0.1.255.

Question 21

What logic do ACLs use for packet processing?

Answer 21

First-match logic

ACLs evaluate packets line by line and stop processing once a match is found, taking the action defined in the matching rule.

Question 22

What is the command syntax for standard numbered IP ACLs?

Answer 22

access-list {1-99 | 1300-1999} {permit | deny} matching-parameters

This command syntax defines the range of numbers for standard ACLs (1-99 or 1300-1999), followed by the action (permit or deny) and the matching parameters.

Question 23

How do you match a specific source IP address in an ACL?

Answer 23

By using the command ‘access-list 1 permit [specific IP address]’.

This command allows traffic from a specific source IP address by matching it in the ACL.

Question 24

What is a wildcard mask in the context of ACLs?

Answer 24

It tells IOS to ignore parts of the address when making comparisons.

A wildcard mask allows partial matching by instructing IOS which parts of the IP address should be ignored during comparison.

Question 25

What does a wildcard mask of **255** indicate?

Answer 25

The router **ignores** this octet. ## Footnote A *wildcard mask* of 255 in any octet indicates that the corresponding part of the IP address will always match, without any filtering.

Question 26

What is the **shortcut** to match all hosts in a subnet with an ACL?

Answer 26

Use the **subnet number** and **wildcard mask**. ## Footnote To calculate the *wildcard mask*, subtract the subnet mask from 255.255.255.255. This method simplifies applying ACLs to entire subnets by directly calculating the wildcard mask based on the subnet and its mask.

Question 27

How do you **match** any and all packets in an ACL command?

Answer 27

Use the "any" keyword, e.g., access-list 1 permit any. ## Footnote The **"any"** keyword allows you to match all packets, disregarding their source or destination.

Question 28

What is the **purpose** of the access-list command's loosely defined source parameter?

Answer 28

To **set a 0 in octets** where the wildcard mask is 255. ## Footnote The loosely defined source parameter specifies the address range to match by using wildcard masks and zeros.

Question 29

# Fill in the blank: The **implicit default action** of an ACL if no matches are found is \_\_\_\_\_\_ the packet.

Answer 29

Deny (discard) ## Footnote The implicit **deny** at the end of every ACL results in discarding unmatched packets.

Question 30

What command allows you to **override the default deny behavior** at the end of an ACL?

Answer 30

Configure a **permit any** at the end of the ACL. ## Footnote By explicitly adding "permit any," you can override the default implicit deny, allowing all traffic that doesn't match previous rules.

Question 31

What is the **purpose** of explicitly configuring a deny any command in an ACL?

Answer 31

To **see counters** for how many packets are matched by the deny any logic. ## Footnote Explicitly denying traffic allows you to *monitor the number of packets* that are blocked, providing insight into traffic flow.

Question 32

What is the **generic syntax** for the access-list command?

Answer 32

access-list access-list-number {deny | permit} source [source-wildcard]. ## Footnote This syntax defines an *ACL rule* that specifies the list number, the action (permit or deny), and the source IP address or subnet to match.

Question 33

Where should standard ACLs be **placed** to avoid unintentional packet discard?

Answer 33

Near to the **destination** of the packets. ## Footnote Placing standard ACLs close to the destination ensures that only necessary traffic is filtered, minimizing the risk of blocking important packets.

Question 34

What direction should you consider when **configuring** an ACL?

Answer 34

The **direction (in or out)** on the interface. ## Footnote The direction (inbound or outbound) determines whether the ACL applies to incoming or outgoing packets on the interface.

Question 35

What **logic** does the ACL list use when searching for matches?

Answer 35

First-match logic ## Footnote **ACLs** process packets by evaluating each rule in order, stopping as soon as a match is found and taking the corresponding action.

Question 36

What command is used to **enable the ACL** on a router interface?

Answer 36

ip access-group number {in | out} ## Footnote The *ip access-group* command **binds** an ACL to an interface, applying it to incoming or outgoing traffic.

Question 37

What command **shows the details** about IPv4 ACLs?

Answer 37

show ip access-lists. ## Footnote This **command** displays the configured IPv4 ACLs, including their rules, numbers, and match statistics.

Question 38

In standard ACLs, what **cannot be checked**?

Answer 38

The destination IP address. ## Footnote *Standard ACLs* only evaluate the source IP address, so they cannot filter packets based on the destination.

Question 39

What keyword can be **added** to an ACL command to generate log messages?

Answer 39

log ## Footnote Adding the *"log" keyword* to an ACL rule causes the router to log packets that match that rule, providing valuable debugging information.

Question 40

What should you **verify** when troubleshooting an ACL?

Answer 40

The **interface** and **direction** of packet flow. ## Footnote It's important to *check the interface* on which the ACL is applied and whether it's filtering inbound or outbound traffic.

Question 41

What is the **consequence** of enabling an ACL on the wrong interface?

Answer 41

The ACL will **never match** the intended packets. ## Footnote If an ACL is applied to the wrong interface, it will *not filter the correct traffic*, and the ACL will be **ineffective** in controlling packet flow.

Question 42

What is the **effect** of placing ACL 1 as an inbound ACL on R2’s S0/0/1 interface?

Answer 42

Packets sent by host 10.1.1.1 can **enter** R2’s S0/0/1 interface. ## Footnote If ACL 1 is applied inbound on the S0/0/1 interface, it *allows packets* from the source IP 10.1.1.1 to enter R2 through that interface.

Question 43

Why will ACL 1 **not match** packets on R2’s F0/0 interface?

Answer 43

Packets sent by host 10.1.1.1 will **never enter** the F0/0 interface. ## Footnote If **ACL 1** is not applied to the F0/0 interface, traffic from host 10.1.1.1 will not be filtered there, as it is only relevant to other interfaces where the ACL is applied.

Question 44

What is the command to **permit packets** from the address 10.1.1.1?

Answer 44

access-list 1 permit 10.1.1.1 ## Footnote This command *creates an ACL rule* that allows packets originating from IP address 10.1.1.1.

Question 45

What **wildcard mask** is used to match any address?

Answer 45

0.0.0.0 ## Footnote A wildcard mask of **0.0.0.0** means that the *corresponding octet* in the IP address must match exactly, thus allowing no flexibility for comparison.

Question 46

How do you **match a subnet** using an access-list command?

Answer 46

Use the **subnet ID** and calculate the wildcard mask. ## Footnote *Subnet matching* involves subtracting the subnet mask from 255.255.255.255 to generate the appropriate wildcard mask.

Question 47

What is the **low end of the address range** for the command 'access-list 1 permit 172.16.200.0 0.0.7.255'?

Answer 47

172.16.200.0 ## Footnote The low end is the subnet address itself (172.16.200.0), which starts the address range for this ACL rule.

Question 48

What is the **high end of the address range** for the command 'access-list 1 permit 172.16.200.0 0.0.7.255'?

Answer 48

172.16.207.255 ## Footnote The high end is **calculated** by adding the wildcard mask to the subnet address, yielding the upper boundary of the range (172.16.207.255).

Question 49

What happens if the last octets of an address **do not end with 0** when using a wildcard mask of 0.0.255.255?

Answer 49

IOS **adjusts** the last two octets to 0. ## Footnote When using a wildcard mask of 0.0.255.255, IOS *normalizes the address* by setting the last two octets to zero, ensuring proper matching.

Question 50

What is the command to **permit packets** from subnet 10.1.200.0/21?

Answer 50

access-list 1 permit 10.1.200.0 0.0.7.255 ## Footnote This **command** matches all packets from the 10.1.200.0/21 subnet using the corresponding wildcard mask of 0.0.7.255.

Question 51

How can you determine the **range of IP addresses** matched by an ACL?

Answer 51

Add the **wildcard mask** to the base address. ## Footnote The range starts with the ACL’s base address and ends by adding the wildcard mask, giving the full set of matched IP addresses.