Module 14 - Access control lists Flashcards
(129 cards)
1
Q
Which tool uses a sequential list of permit or deny commands to filter packets based on header information?
A
ACL (Access control list)
2
Q
Which router function uses ACL statements to allow or block packets as they pass through an interface?
A
Packet filtering
2
Q
What are the individual permit or deny instructions within an ACL called? (2 terms)
A
ACEs (Access control entries) or ACL elements
2
Q
Which ACL use case restricts routing updates to known sources ?
A
Traffic flow control
2
Q
Which process occurs when a router checks packet header information against ACEs in order?
A
It is called sequential packet filtering with the help of the ACL
2
Q
At which OSI layers can packet filtering occur?
A
Layer 3 (Network layer) and Layer 4 (Transport layer)
3
Q
What is referred to by the term OSI model?
A
The OSI (Open systems interconnection model)
3
Q
What command is used to create a named ACL in global configuration mode?
A
ip access-list
3
Q
Which type of ACL filters only at Layer 3 (network layer) using the source IPv4 address?
A
A Standard ACL
3
Q
Which type of ACL filters at Layer 3 (network layer) and Layer 4 (transport layer) using source/destination IP addresses and ports?
A
An Extended ACL
3
Q
Which ACL numbers range represents extended ACLs?
A
Extended ACL numbers range from 100-199 and 2000-2699
3
Q
Which ACL numbers range represents standard ACLs?
A
Standard ACL numbers range from 1-99 and 1300-1999
3
Q
Which ACL configuration method allows descriptive names to be assigned for clarity and purpose?
A
Named ACLs
3
Q
Which ACL type filters packets after they are routed and is best when multiple sources share an outbound path?
A
Outbound ACLs
3
Q
Do ACLs act on packets generated by the router itself?
A
No
3
Q
Which ACL type filters packets before they are routed, improving efficiency by avoiding unnecessary routing?
A
Inbound ACLs
3
Q
What happens when a packet matches an ACE in an ACL?
A
The router executes the ACE (Access control Entry) action by allowing or denying then it will stop processing any further ACEs
3
Q
What happens if no ACE matches a packet in an ACL?
A
The packet will be dropped due to the implicit deny
3
Q
What is the first step a router takes when processing a packet through an inbound standard IPv4 ACL?
A
It extracts the source IPV4 address from the packet header
3
Q
Which 32-bit value is used in IPv4 ACEs to define which address bits to examine for a match?
A
A Wildcard mask
4
Q
Which ACL direction is most efficient for filtering traffic from a single source network?
A
Inbound ACL
4
Q
What is the rule called that drops packets when no ACE matches and is always present, even if hidden?
A
Implicit deny
4
Q
Which routing protocol also uses wildcard masks in its operation?
A
OSPF (Open Shortest Path First)
4
Q
How does a binary 0 behave in a wildcard mask?
A
Binary 0 = match/yes
4
Which wildcard mask would match all bits of a IPv4 address?
0.0.0.0
4
Which wildcard mask is used to match a single specific host IP address in an ACE?
0.0.0.0
4
Which ACE would permit only the host 192.168.1.1 using a wildcard mask?
access-list 10 permit 192.168.1.1 0.0.0.0
4
Which ACE permits all hosts in the 192.168.1.0/24 subnet?
access-list 10 permit 192.168.1.0 0.0.0.255
4
Which shortcut method is used to calculate a wildcard mask from a subnet mask?
Subtracting the subnet mask from 255.255.255.255
4
Which wildcard mask allows traffic from the subnet range 192.168.16.0/24 to 192.168.31.0/24?
0.0.15.255
4
Which wildcard mask would be used to match the 192.168.3.0/24 network?
0.0.0.255
4
What is the correct ACE to permit all users in the 192.168.3.0/24 network?
access-list 10 permit 192.168.3.0 0.0.0.255
4
What is the wildcard mask for the 192.168.3.32/28 subnet?
0.0.0.15
4
Which wildcard mask permits the range 192.168.16.0/24 to 192.168.31.0/24?
0.0.15.255
4
Which two Cisco IOS keywords are used to simplify ACL wildcard mask entries?
Host and Any
4
What does the keyword host substitute for in a wildcard mask?
It substitutes for 0.0.0.0 and matches a specific host IP address
4
What does the keyword any substitute for in a wildcard mask?
It substitutes for 255.255.255.255 and matches any IP address
4
What is the wildcard mask equivalent of the command access-list 10 permit host 192.168.10.10?
access-list 10 192.168.10.10 0.0.0.0
4
What is the wildcard mask equivalent of the command access-list 11 permit any?
0.0.0.0 255.255.255.255
4
Which keyword allows an ACL to match exactly one IPv4 address?
host
4
Which keyword allows an ACL to match all possible IPv4 addresses?
any
4
Which wildcard mask would permit all hosts from the 10.10.0.0/16 network?
0.0.255.255
4
Which command is used to remove a numbered standard IPv4 ACL from global configuration?
no access-list (access list number)
4
Create a standard ACL that denies access to the host 192.168.1.100, using ACL number 20.
access-list 20 deny 192.168.1.100
4
Permit traffic from the entire 192.168.0.0/16 network using ACL number 35.
access-list 35 permit 192.168.0.0 0.0.255.255
4
Add a remark to ACL 40 that says "Block guest subnet".
access-list 40 remark Block guest subnet
4
Allow any traffic from any source in ACL 50.
access-list 50 permit any
4
Log any denied traffic from 10.10.10.0/24 using ACL number 60.
access-list 60 deny 10.10.10.0 0.0.0.255 log
4
Delete an entire ACL numbered 99.
no access-list 99
4
Use the host keyword to deny only the IP address 172.16.5.5 in ACL 77.
access-list 77 deny host 172.16.5.5
4
Permit a single IP 192.0.2.200 using the default behavior (no wildcard mask) in ACL 80
access-list 80 permit 192.0.2.200
4
Deny everything in ACL 90 (hint: universal match).
access-list 90 deny any
4
Create ACL 65 that permits only subnet 172.20.0.0/16.
access-list 65 permit 172.20.0.0 0.0.255.255
4
Create a named standard ACL called BLOCK-SSH.
ip access-list standard BLOCK-SSH
4
Create a named standard ACL called BLOCK-SSH then while in BLOCK-SSH, deny access from host 192.168.10.10
ip access-list standard BLOCK-SSH
deny host 192.168.10.10
4
Create a named standard ACL called BLOCK-SSH then while in BLOCK-SSH, deny access from host 192.168.10.10 and finally permit all other traffic.
ip access-list standard BLOCK-SSH
deny host 192.168.10.10
permit any
4
Add a remark to ACL BLOCK-SSH that says: “Deny admin access”.
remark Deny admin access
4
Remove the entire named ACL BLOCK-SSH.
no ip access-list standard BLOCK-SSH
4
Create a named standard ACL called OFFICE-LAN and allow all traffic from 10.0.0.0/8.
ip access-list standard OFFICE-LAN
permit 10.0.0.0 0.255.255.255
4
Deny traffic from subnet 192.168.30.0/24 in a named ACL NO-GUESTS.
ip access-list standard NO-GUESTS
deny 192.168.30.0 0.0.0.255
4
What is the maximum character limit for a remark entry in a standard ACL?
100 characters
4
What type of mode is entered after using the ip access-list standard command?
Named standard ACL configuration mode
4
Create a numbered extended ACL 110 to deny all TCP traffic from host 192.168.1.10 to any destination.
access-list 110 deny tcp host 192.168.1.10 any
4
Permit any IP traffic from subnet 10.0.0.0/8 to any destination using ACL 110.
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
5
Deny UDP traffic from 172.16.1.0/24 to host 192.168.2.100 in ACL 100
access-list 110 deny udp 172.16.1.0 0.0.0.255 host 192.168.2.100
5
Permit TCP traffic from any source to 192.168.5.5 on port 80 (HTTP) on ACL 130
access-list 130 permit tcp any host 192.168.5.5 eq 80
5
Block ICMP traffic from 192.168.10.0/24 to any destination on ACL 110
access-list 110 deny icmp 192.168.10.0 0.0.0.255 any
5
Add a remark to ACL 110 that says: “Allow internal web access”.
access-list 110 remark Allow internal web access
5
Permit established TCP sessions from any to any in ACL 129
access-list 129 tcp any any established
5
Block all UDP traffic from any to 192.168.20.0/24, log it.
access-list 150 deny udp any 192.168.20.0 0.0.0.255 log
5
Permit DNS queries (UDP port 53) from 192.168.1.0/24 to any DNS server.
access-list 150 permit udp 192.168.1.0 0.0.0.255 any eq 53
5
Remove the entire ACL 110 from the configuration.
no access-list 110
5
Which ACL type supports filtering based on protocols and port numbers?
Extended ACLs
5
Which command shows all possible protocols when creating an ACE in extended ACL 100?
access-list 100 permit ?
5
Which IP protocol number represents ICMP?
ICMP protocol 1 (one)
5
Which IP protocol number represents TCP?
TCP protocol 6
5
Which IP protocol number represents UDP?
UDP protocol 17
5
Which protocols must be selected in an extended ACL to access specific port options? (3)
ICMP, TCP , UDP
5
What determines which port options are available in an extended ACL?
The selected protocol (TCP, UDP, ICMP)
5
Which port number corresponds to Telnet?
Telnet 23
5
Which port number is used for HTTP (World Wide Web)?
HTTP 80
5
Which port name corresponds to FTP control?
FTP 21
5
Which port name corresponds to FTP data?
FTP 20
5
Which port name corresponds to DNS (Domain Name Service)?
DNS 53
5
Which port name is used for SMTP (email transport)?
SMTP 25
5
Which port name corresponds to POP3 email protocol?
POP3 110
5
Which port number must be entered manually because common names like SSH and HTTPS are not listed?
SSH 22 and HTTPS 443
6
Which keyword in extended ACLs permits only return TCP traffic from existing sessions?
Established
6
Which command permits return traffic from the internet to internal network 192.168.10.0/24?
access-list 120 permit tcp any 192.168.10.0 0.0.0.255 established
6
Where should ACL 120 be applied to filter incoming external traffic to the LAN?
Outbound (external facing interface)
6
Which command displays current ACLs and match statistics on a router?
show access-lists
6
How does the router know the packet belongs to an existing connection?
It searches for the TCP RST or RST flag in packets
6
Which command creates a named extended ACL called NO-FTP-ACCESS?
ip access-list extended NO-FTP-ACCESS
6
Can ACL names in the ip access-list extended command contain spaces?
No
6
After entering ACL configuration mode for WEB-FILTER, which command would deny HTTP traffic from host 192.168.1.5 to any destination?
deny tcp host 192.168.1.5 any eq 80
6
What command would permit all ICMP traffic from any source to the 192.168.10.0/24 network in a named extended ACL?
permit icmp any 192.168.10.0 0.0.0.255
7
How would you remove a named extended ACL called NO-SSH from the router?
no ip access-list extended NO-SSH
8
7. If you're in named extended ACL mode, which command would allow only HTTPS (TCP port 443) traffic from any source to host 192.0.2.5?
permit tcp any host 192.0.2.5 eq 443
8
Which named extended ACL permits inside HTTP and HTTPS traffic to exit the router?
SURFING
8
What should be done before pasting a corrected ACL back into the router?
Delete the previous configuration
9
Which named extended ACL permits only returning web traffic into the inside network?
BROWSING
9
What command would you use to delete the ACE with sequence number 10 in a standard ACL?
no 10
9
Which command is used to view and copy an ACL from the running configuration?
show running-config
10
Which command can be used to verify named extended ACL match statistics?
show access-lists
10
What command is used to apply an ACL to vty lines?
ip access-class (acl #/name) (in/out)
10
What does the keyword established ensure in a ACL?
Permits only returning traffic
11
Where should standard ACLs be placed in the network?
Close to the destination
11
What command applies the VTY ACL to inbound connections?
ip access-class VTY-ACL in
11
How many ACLs can be applied per interface, per protocol, per direction?
One
11
What must be done before replacing an ACE with a new one using the same sequence number?
Delete the existing one via no (sequence number)
11
What command is used to apply an ACL to an interface?
ip access-group (acl#/name) (in/out)
11
Where should extended ACLs be placed in the network?
Close to the source
11
Which command removes an ACL from an interface?
no ip access-group
11
What is the primary benefit of placing an extended ACL near the traffic source?
Saves network bandwidth (avoids wasting it on packets that will be dropped after)
11
Which command removes an ACL from the router entirely?
no access-list
12
What overall principle guides efficient ACL placement?
Filter as close or early to the source as possible
12
What type of attack involves inserting a fake source IP in packet headers?
IP Address spoofing
12
What command is used to enter IPv6 ACL configuration mode?
ipv6 access-list
12
What IOS command disables SNMP services completely on a Cisco device?
no snmp-server
12
Which ICMP message asks a sender to reduce transmission rate and should be allowed in both directions?
Source quench
12
12
Which kind of message might a compromised host send to force dual-stacked hosts to obtain an IPv6 address?
RA's (Rouge router advertisements)
12
Which transition technology enables IPv6 connectivity over IPv4 NAT by embedding IPv6 packets inside UDP packets?
Teredo tunneling
12
Which integration method allows a device to operate on both IPv4 and IPv6 networks simultaneously?
Dual stack
12
12
How are IPv6 ACLs applied to an interface?
Using ipv6 traffic-filter command
12
13
In applying an ACL to a router interface, which traffic is designated as outbound?
Traffic leaving the router heading to the destination host
13
What essential IPv6 protocol must be explicitly permitted in ACLs to avoid breaking connectivity?
NDP (Neighbor discovery protocol)
