Day 10 - ACL Concepts

Question 1

An ACL is a router __________ __________ (that is, it’s a list of ___________)

Answer 1

Configuration Script
Statements

Question 2

ACLs control whether a router permits or denies packets to pass, based on criteria in the what?

Answer 2

Packet header

Question 3

To determine whether a packet is permitted or denied, it is tested against the ACL statement in what order?

Answer 3

Sequential order

Question 4

When an ACL statement matches, do any other statements get evaluated?

Answer 4

No

Question 5

What is at the bottom of every ACL?

Answer 5

An implicit deny any statement

Question 6

If a packet doesn’t match any of the statements in the ACL, what happens to it?

Answer 6

It’s dropped

Question 7

ACLs use what kind of logic?

Answer 7

First match logic

Question 8

If a packet matches one line in the ACL, the router takes the action listed in that line of the ACL and does what with the rest of the ACL statements?

Answer 8

Ignores them

Question 9

What two types of ACLs are there?

Answer 9

Standard IPv4 ACLs
Extended IPv4 and Extended IPv6 ACLs

Question 10

What two methods are there to identify both standard and extended ACLs?

Answer 10

Numbered IPv4 ACLs
Named IPv4 and Named IPv6 ACLs

Question 11

What is the difference between standard ACLs and Extended ACLs?

Answer 11

Standard ACLs filter traffic based on source address only

Extended ACLs filter traffic based on source and destination address, specific protocols and source and destination TCP and UDP ports

Question 12

What do numbered ACLs use to identify themselves?

Answer 12

They use a number for identification

Question 13

What do named ACLs use to identify themselves?

Answer 13

They use a descriptive name or number for identification

Question 14

Standard numbered and standard named ACLs only look for matching what?

Answer 14

Source addresses

Question 15

Extended numbered and extended named ACLs look for matching what?

Answer 15

Source and Dest IP
Source and Dest Port

Question 16

What is the number range for standard IP ACLs?

Answer 16

1-99

Question 17

What is the number range for Extended IP ACLs?

Answer 17

100-199

Question 18

What is the number range for expanded standard IP ACLs?

Answer 18

1300-1999

Question 19

In addition to using more memorable names, using named ACLs instead of numbered ACLs enable to you __________ individual statements in a named IP access list

Answer 19

delete

Question 19

What is the number range for expanded extended IP ACLs?

Answer 19

2000-2699

Question 20

What version of IOS Software release did IP access list entry sequence numbering get introduced with?

Answer 20

12.3

Question 21

How many ACLs are allowed per protocol, per direction, and per interface

Answer 21

1

Question 22

How should you organize the ACL statements?

Answer 22

Top down with more specific references appearing before more general ones

Question 23

You should always create the ACL before __________ it to an interface

Answer 23

Applying

Question 24

You typically should place extended ACLs as close to what?

Answer 24

The source traffic that you want to deny

Question 25

What does a wildcard mask of 0.0.0.0 mean?

Answer 25

It means the subnet mask is 255.255.255.255 and that the IP address before the mask is the only IP being targeted.

Question 26

Does an Extended ACL have a default wildcard mask?

Answer 26

No, you have to specify a wildcard mask with an extended ACL

Question 27

What is this Extended ACL doing? *R1(config)#access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet*

Answer 27

It's an extended ACL that will permit telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10

Question 28

**Write an Access Control Entry for this scenario:** Access List number of 100 that permits telnet TCP traffic from the subnet of 10.10.10.0/24 with a source port greater than 49151 going to a destination address of 10.10.50.10

Answer 28

*access-list 100 permit tcp 10.10.10.0 0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet*

Question 29

What does *access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255* represent?

Answer 29

This is denying ALL traffic from the source subnet of 10.10.10.0/24 to the destination network of 10.10.50.0/24

Question 30

What is this ACE telling us: *access-list 100 deny tcp host 10.10.10.10 10.10.20.0 0.0.0.255 eq www log*

Answer 30

It's an extended Access Control Entry with a number of 100 Deny TCP traffic from 10.10.10.10 that is going TO the destination network of 10.10.20.0/24 with a destination port of 80(www) and we want log it to the console or an external monitoring service

Question 31

If you've created your ACL with the Access Control Entries, what do you need to do to actually get them to work?

Answer 31

You need to enable it on the interface or VLAN with the access-group command

Question 32

What increments are ACLs numbered in?

Answer 32

10

Question 33

**True or False:** All traffic is denied except what is explicitly allowed due to the implied deny any any rule at the bottom the of ALL ACLs

Answer 33

True

Question 34

If you want to reverse the implicit deny any any rule so that ALL traffic is permitted except what is explicitly denied, how would you achieve this?

Answer 34

Add a permit any rule at the bottom of your entries

Question 35

Which would have precedence? An explicit permit any rule at the bottom of an ACL or an implicit deny any any at the bottom of the ACL?

Answer 35

The permit any rule would take precedence because it would be above the deny any any rule implicitly at the bottom