Ch9 Access Control Lists - Practical Flashcards
Standard ACL Number Ranges
1 to 99, 1300, and 1999
Extended ACL Number Ranges
100 to 199 and 2000 to 2699
Calculating Wildcard Mask
Subtract specific network’s subnet mask from 255.255.255.255.
Command to Configure IPv4 Standard ACL
access-list access_list_number { deny | permit | remark } source_ip [source_wildcard] [log]
Command that displays lists/contents of access lists.
show access-list
Command to Attach ACL to an Interface
ip access-group {acl_number | acl_name} {in | out}
Configuring Numbered Standard IPv4 ACL (3)
- access-list acl_number {deny | permit | remark } source source_ip [source_wildcard] [log] // repeat to create multiple entries which are numbered automatically.
- interface interface_id
- ip access-group acl_number { in | out } // applies ACL to interface
Configuring Named Standard IPv4 ACL (5)
- ip access-list standard acl_name
- {deny | permit | remark } source_ip [source_wildcard] [log] to create entries.
- Exit ACL Config Mode
- interface interface_id
- ip access-group acl_name {in | out } // applies ACL to interface.
Editing ACLs with Text Editor (3)
- use show running-config | include access-list acl_number | acl_name to display lists.
- Copy acl section into text editor.
- Make changes to ACL and then paste back into router terminal.
Editing ACLs with Sequence Number (4)
- use show access-lists { acl_number | acl_name } to display current ACE’s within the designated ACL.
- use ip access-list {standard | extended } {acl_number | acl_name } to enter ACL config mode.
- Delete old ACE by using no acl_number
- Edit by using : acl_sequence_number modified_ACE
ex: 10 deny host 192.168.10.10
3 Methods to Verify ACLs
- show access-lists [acl_name | acl_number]
- show ip interface interface_id
- show running-config | include access-list [acl_name | acl_number]
How to Determine if an ACL is Working Properly.
show access lists : will display matches to permit or deny entries as the ACL is used.
Command used to clear the match counters in an access list.
clear access-list counters [acl_number | acl_name]
Using ACL to Control VTY Access
- line vty vty_range
- ip access-class acl_number {in [vrf-also] | out}
- exit
- access-list acl_number {permit | deny | remark } source_ip [source_wildcard] [log]
- access-list acl_number deny any
Logical Operators That Can Be Used in Extended ACLs (4)
- eq (equal)
- neq (not equal)
- gt (greater than)
- lt (less than)
Command used to display list of port numbers and keywords that can be used to build an ACL
access-list 101 permit tcp any any eq ?
Command Used to Configure Extended ACL
access-list [extended] acl_number { deny | permit | remark } {protocol_number | protocol_name} source_ip [source_wildcard] [operator operand] [port port_number_or_name] destination [destination_wildcard] [operator operand] [port port_number_or_name] [established]
2 Methods to Verify Extended ACLs
- show access-lists
- show ip interface interface_id
IPv6 Version of the access-group Command.
ipv6 traffic-filter acl_name {in | out}
Command Used to Create IPv6 Access List
ipv6 access-list access_list_name
IPv6 ACE
{deny | permit | remark } ipv6 | ipv4 {source_ipv6_prefix/prefix_length | any | host source_ipv6_address} [operator [port_number]][destination_ipv6_prefix/prefix_length | any | host destination_ipv6_address} [operator [port_number]]
Procedute to Apply IPv6 ACL to Interface
- interface interface_id
- ipv6 traffic-filter acl_name {in | out}
How Do You Apply ACLs to VTYs in IPv6?
access-class acl_name {in [vrf-also] | out}
3 Methods to Verify IPv6 ACLs
- show ipv6 interface interface_id
- show access lists
- show running-config
