Chapter 11 - Access Control Lists Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 11 - Access Control Lists > Flashcards

Flashcards in Chapter 11 - Access Control Lists Deck (13):
1

What do standard access lists filter on?

Source address only!

2

What is the number range for standard ACLs?

1-99

1300-1999

3

What is the number range for extended ACLs?

100-199

2000-2699

4

When you add a new line to an access list, where is it placed by default?

At the very bottom of the list (before the implcit deny)

5

When using a wildcard mask, which part of the subnet would be looked at if it was 0.0.0.255

The last octet can be anything. Only the first 3 are looked at for matches.

ie: 172.25.1.XXX

 

6

What are the two main types of object groups?

Service Object Groups - identify devices by ip address, network, host, or range of hosts.

Network Object Groups - TCP or UDP and ports defined (or a collection of ports)

7

What command would you use to see all the lines of an access-list and check if there are any matches / hits?

#show access-lists

or use the name or number of the ACL

#show access-list outside

8

What command would you use to check to see if an interface has an ACL applied to it?

show ip interface

9

How do you clear the counters (match counts) on an access list?

clear ip access-list counters

10

When you apply a IPv6 ACL on an interface, what kind of traffic is implicitly permitted (even though there is a default implicity deny at the end of the ACL)?

Neighbor Solicitation (NS) packets

Neighbor Advertisement (NA) packets

11

What keyword is different in IPv6 ACL's when applying a list to an interface?

traffic-filter

for example:

(config-if)#ipv6 traffic-filter LIST_NAME in

12

What command allows you to view an IPv6 access-list (all of its lines, match counts, etc)?

# show ipv6 access-list

(remember just add the "ipv6")

13

How to you check to see if an interface has an IPv6 ACL applied?

# show ipv6 interface g0/3

(g0/3 can be any interface name)