Chapter 31 - Basic IPv4 Access Control Lists

Question 1

What are ACLs used for?

Answer 1

• To match traffic based various headers and perform an action on them.
• Some of those actions can be for:
  - Allowing and blocking certain traffic
  - Performing QoS
  - Performing NAT

Question 2

True or False. ACLs are enabled per interface.

Answer 2

• True. However, they are initially created in global config.
• It must be enabled for the direction that the specified traffic will flow through the interface.

Question 3

What are the different types of ACLs and their numbers where required?

Answer 3

• Standard Numbered ACLs - 1-99
• Extended Numbered ACLs - 100-199
• Additional Standard Numbered ACLs - 1300-1999
• Additional Extended Numbered ACLs - 2000-2699
• Named ACLs

Question 4

Features of Standard Numbered ACLs

Answer 4

• Matching Source IP
• ID with Number
• Created from Global Commands (Can also be created from subcommands)

Question 5

Features of Standard Named ACLs

Answer 5

• Matching Source IP
• ID with Name
• Created from Subcommands
• Can manually set the order of entries by entering the order number of the entry before the statement in Standard Named ACL config mode
• Allows ACL editing so that individual lines can be deleted

Question 6

Features of Extended Numbered ACLs

Answer 6

• Matching Source and Dest IP
• Matching Source and Dest Port
• ID with Number
• Created from Global Commands (Can also be created from subcommands)

Question 7

Features of Extended Named ACLs

Answer 7

• Matching Source and Dest IP
• Matching Source and Dest Port
• ID with Name
• Created from Subcommands
• Allows ACL editing so that individual lines can be deleted

Question 8

In an ACL, how does the router decide which rule to match a packet against?

Answer 8

• Uses first-match logic
• As soon as a packet matches one line of the ACL, the relevant action in that line is taken on that packet and the router stops looking through the ACL for that packet

Question 9

What happens to a packet that matches no statements of an ACL?

Answer 9

• It is discarded
• Once the router reaches the end of an ACL when checking a packet, there is an implied ‘deny all’ rule that matches any packets that have not already been matched.

Question 10

What is the name for a statement in an ACL?

Answer 10

ACE (Access Control Entry)

Question 11

How do you match just a single IP address in an ACL statement?

Answer 11

• Simply entering ‘access-list <number> <permit/deny> <ip>'</ip></number>
• Entering ‘access-list <number> <permit/deny> host <ip>' in older versions of IOS</ip></number>

Question 12

What can you use to match multiple addresses in a given subnet in an ACL?

Answer 12

Wildcard masks

Question 13

What keyword can you use in place of an IP address to match all traffic against an ACL statement?

Answer 13

• ‘any’
• ‘access-list <number> <permit/deny> any</number>

Question 14

How do you enable an ACL on an interface?

Answer 14

In interface config mode, use ‘ip access-group <ACL> <direction></direction></ACL>

Question 15

Rules of thumb for ACLs

Answer 15

• Standard ACLs should be placed as close to the destination as possible so as to not match traffic that you don’t mean to. However, Extended ACLs should be placed as close to the source as possible to avoid using as much bandwidth.
• For standard ACLs, the traffic is matched against the source address. Because of this it needs to be enabled on the interface in the direction the traffic is flowing in.
• ACL statements are matched sequentially so need to be placed in the correct order.
• Place more specific statements early in the ACL.
• Disable an ACL from the interface it is on using ‘no ip access-group’ before making changes to it. Then reenable once done.

Question 16

How can you see information about IPv4 specific ACLs?

Answer 16

• Use the ‘show ip access-lists’ command
• The ‘show access-lists’ command will show all other lists (e.g. IPv6)

Question 17

How could you make a note about what an ACL statement does?

Answer 17

Use the ‘access-list <number> remark <remark>' command</remark></number>

Question 18

True or False. ACL statements apply to traffic generated by the router.

Answer 18

False.

Question 19

How can you see specifically what traffic is being caught by an ACL?

Answer 19

Use the ‘access-list <number> log' command</number>

Question 20

True or False. Wildcard masks used in ACLs can interleave 1s and 0s (0.255.255.0)

Answer 20

True unlike wildcard masks used for things such as OSPF.

Question 21

True or False. You can’t have multiple ACLs applied to a single interface in a single direction.

Answer 21

True. You can have one ACL for outbound and one ACL for inbound.

Question 22

What command do you use to configure a Standard Named ACL?

Answer 22

‘ip access-list standard <name>'</name>

This will put you into the config mode for this named ACL where you add the ACEs.

Question 23

How do you delete particular ACEs from ACLs?

Answer 23

• Enter IP ACL config mode for the ACL you wish to edit
• Enter ‘no’ and then the rest of the line you want to delete
  OR
• For numbered ACLs use the ‘no <sequence>' command</sequence>

Question 24

What extra functionality did IP ACL sequence numbers bring in?

Answer 24

• New configuration style for numbered ACLs - Allows numbered ACLs to be edited in a similar way to named ACLs such as:
  - Deleting single lines
  - Inserting new lnes by adding a sequence number at the beginning of a new ACE

Question 25

True or False. 'show running-config' lists ACEs with sequence numbers next to them.

Answer 25

False. However 'show access-lists' and 'show access-lists' do.

Question 26

What is ACL resequencing?

Answer 26

- Allows you to change the sequencing order of all current ACEs in an ACL. - Done using the 'ip access-list resequence - For example 'ip access-list resequence 1 20 20' would change all entries in ACL 1 so that they start at sequence number 20 and then increase by 20 for each next ACE.

Question 27

What are examples of IP Protocol field numbers that can be included when setting up ACL statements?

Answer 27

- 1 - ICMP - 6 - TCP - 17 - UDP - 88 - EIGRP - 89 - OSPF