Access Control Lists (ACLs)

Questions and Answers

What is the fundamental purpose of an Access Control List (ACL)?

• To speed up packet forwarding by optimizing routing tables.
• To filter network traffic based on specified criteria. (correct)
• To provide detailed reports on network bandwidth usage.
• To encrypt network traffic for secure transmission.

By default, what action does a router take regarding network traffic filtering if no ACL is configured?

• The router prompts the administrator to configure an ACL.
• The router automatically applies a basic ACL that prevents harmful traffic.
• The router denies all network traffic to ensure security.
• The router does not filter traffic. (correct)

When an ACL is applied to an interface, what is the immediate effect on network packets?

• Packets are immediately forwarded to their destination without evaluation.
• Packets are evaluated against the criteria defined in the ACL. (correct)
• Packets are duplicated for monitoring purposes.
• Packets are rerouted to a secure network segment.

What are the two possible determinations an ACL can make regarding a network packet?

Permit or deny (C)

An ACL consists of a sequential list of statements. What are these statements known as?

Access control entries (ACEs) (A)

Besides ACEs, what are access control lists also commonly called?

ACL statements (B)

An ACL can control whether a router permits or denies packets based on several criteria found in the packet header. Which of the following is NOT a criterion?

Router's CPU utilization (D)

In which way does a router act when it forwards or denies packets according to filtering rules set in an ACL?

As a packet filter (D)

Which of the following describes how an inbound ACL filters packets?

Coming into a specific interface and before they are routed to the outbound interface. (C)

What type of statement is automatically inserted at the end of each ACL?

An implicit deny all statement (B)

What could be the effect of an ACL without at least one permit statement?

It will block all traffic. (A)

What is the primary difference in how standard and extended IPv4 ACLs filter IP packets?

Standard ACLs filter based on the source address only, while extended ACLs filter based on several attributes. (A)

When configuring a numbered ACL, what number range is used to identify standard IP ACLs?

1 to 99 (B)

Which of the following is a characteristic of named ACLs?

They cannot contain spaces or punctuation. (B)

Wildcard masks are used in ACLs to specify IP address matching. What does a '0' bit in a wildcard mask signify?

Match the corresponding bit value in the address. (C)

What keyword can be used in an ACL configuration to represent a wildcard mask of 0.0.0.0?

host (B)

What keyword can be used in an ACL configuration to represent a wildcard mask of 255.255.255.255?

any (D)

What is one of the guidelines to follow when creating ACLs?

Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. (C)

When controlling traffic flow on an interface, how many ACLs should be defined for each protocol?

One ACL per protocol (C)

Which of the following is NOT considered an ACL best practice?

Implement ACLs directly on a production network for immediate effect. (A)

To enhance network efficiency and security when implementing ACLs, at which location should extended ACLs be placed?

As close as possible to the source of the traffic to be filtered. (A)

Considering network efficiency and security, where should standard ACLs be placed?

As close as possible to the destination. (C)

Imagine you need to block all Telnet traffic originating from any source destined for a specific server. Which type of ACL is more suited and where should you ideally place it in your network and why?

Extended ACL, placed close to the source, to immediately drop unwanted Telnet traffic from entering the network towards the destination. (C)

Flashcards

What is an ACL?

A list of permit or deny statements, also called ACL statements, used to filter network traffic.

How does an ACL work?

Examines network packets and determines if they are permitted or denied based on configured criteria.

What is Inbound ACL?

Applied to an interface to filter packets entering the router, before routing decisions are made.

What is Outbound ACL?

Applied to an interface to filter packets exiting the router, after routing decisions are made.

What is Implicit Deny?

The last statement of an ACL that blocks all traffic that has not been explicitly permitted.

What are Standard ACLs?

Used to filter IP packets based only on the source address.

What are Extended ACLs?

Used to filter IP packets based on source IP address, destination IP address, protocols, and port numbers.

What are Numbered ACLs?

Provide a numeric identifier for the ACL, differentiating standard and extended ACLs based on number range.

What are Named ACLs?

Allows you to identify the ACL using a descriptive name instead of a number.

What are Wildcard Masks?

Used in ACLs to match or ignore bit values in an IP address; 0 means match, 1 means ignore.

How to Calculate the Wildcard Mask?

To subtract the subnet mask from 255.255.255.255. The result is the wildcard mask.

What does the 'host' keyword mean?

A keyword to indicate that all address bits should be matched.

What does the 'any' keyword mean?

A keyword to indicate that all address bits are ignored, effectively matching any IP address.

Where to use ACLs?

Place ACLs on firewall routers between the internal network and external networks like the Internet.

What are the Three Ps of ACLs?

One ACL per protocol, per direction, and per interface.

Where to place Extended ACLs?

To locate them as close as possible to the source of the traffic, due to their filtering capabilities.

Where to place Standard ACLs?

Place them as close as possible to the destination, due to their limited filtering capabilities.

How to Apply Standard access group?

The command used to link a standard ACL to an interface.

What is the "remark" Keyword?

Used to provide descriptions and improve readability of access lists, aiding in understanding the ACL's purpose.

Why order is Important for Implementing ACLs?

Cisco IOS processes access list statements sequentially, thus the order in which they are configured is crucial.

How to set name to ACL?

The command used to create a named standard ACL.

How can I verify ACL implementation?

Displays the configuration of the ACLs, showing the interfaces they are applied to and the traffic statistics.

What is filtered by extended ACLs?

Filter based on Source IP address AND Destination IP address.

How to Use Extended ACLs?

The procedural steps are the same as for standard ACLs. The extended ACL is first configured, and then it is activated on an interface.

Study Notes

• Chapter 4 focuses on implementing firewall technologies, specifically Access Control Lists (ACLs).

Objectives

• Explain how ACLs filter traffic
• Compare standard and extended IPv4 ACLs
• Explain how ACLs use wildcard masks
• Explain guidelines for creating and placing ACLs
• Configure standard and extended IPv4 ACLs to filter traffic according to networking requirements
• Modify a standard IPv4 ACL using sequence numbers
• Configure a standard ACL to secure vty access
• Explain the structure of an extended Access Control Entry (ACE)
• Configure an ACL to limit debug output
• Explain how a router processes packets when an ACL is applied
• Troubleshoot common ACL errors using CLI commands

ACL Operation

• ACLs are sequential lists of permit or deny statements, also known as Access Control Entries(ACEs).
• An ACL statement is also an ACE.
• ACLs control whether a router permits or denies packets based on criteria, identifying the source IP, destination IP, IP protocols (ICMP, TCP, UDP, EIGRP), and TCP/UDP source/destination ports.
• A router functions as a packet filter when forwarding/denying packets based on filtering rules.
• By default, routers do not filter traffic.
• When applied to an interface, an ACL evaluates network packets to determine if packets are permitted or denied.
• Inbound ACLs filter packets coming into a specific interface and before being routed to the outbound interface.
• Outbound ACLs filter packets after being routed, regardless of the inbound interface.
• The last statement of an ACL is always an implicit deny and blocks all traffic, even if not physically present.
• An ACL without a permit statement will block all traffic because of the implicit deny.

Types of Cisco IPv4 ACLs

• Standard ACLs filter IP packets based on the source address only.
• Extended ACLs filter IP packets based on several attributes: Source/destination IPs, TCP/UDP ports, and protocol type/number (IP, ICP, UDP, TCP).

Numbering & Naming ACLs

• Numbered ACLs are assigned a number based on the protocol to be filtered :
• Standard IP ACLs range from 1-99 and 1300-1999.
• Extended IP ACLs range from 100-199 and 2000-2699.
• Named ACLs assign a name and have alphanumeric characters.
• Names should be in CAPITAL LETTERS
• Cannot contain spaces or punctuation
• Entries can be added or deleted within the ACL.

Introducing ACL Wildcard Masking

• Wildcard masks and subnet masks differ in the way they match binary 1s and 0s
• Wildcard mask rules for matching binary 1s and 0s:
• Wildcard mask bit 0: Match the corresponding bit value in the address.
• Wildcard mask bit 1: Ignore the corresponding bit value in the address.
• Wildcard masks are inverse masks - unlike subnet masks (binary 1 = match, binary 0 = not match), the reverse is true
• Calculate wildcard masks by subtracting the subnet mask from 255.255.255.255.
• Shorthand wildcard mask keywords host refers to a 0.0.0.0 mask and any refers to a 255.255.255.255 mask.

General Guidelines for Creating ACLs

• Use ACLs in firewall routers between the internal network and external networks like the Internet.
• Use ACLs on a router between two parts of the network to control traffic entering/exiting a specific part of the internal network.
• Configure ACLs on border routers (routers at the edge of networks).
• Configure ACLs for each network protocol configured on border router interfaces.
• Three P's of ACL traffic control.
• One ACL per protocol: Define an ACL for each protocol enabled on the interface to control traffic flow.
• One ACL per direction: Use two ACLs for inbound and outbound control, as ACLs control traffic in one direction at a time.
• One ACL per interface: ACLs control traffic for an interface, such as GigabitEthernet 0/0.

ACL Best Practices

• Base ACLs on the organization's security policy to implement security guidelines.
• Prepare a description of what the ACLs should do to avoid inadvertently creating potential access problems.
• Use a text editor to create, edit, and save ACLs for a library of reusable ACLs.
• Test ACLs on a development network before implementing them on a production network to avoid costly errors.

Where to Place ACLs

• Place an ACL where it has the greatest impact on efficiency.
• Extended ACLs: Locate as close as possible to the traffic source to be filtered.
• Standard ACLs: Locate as close as possible to the destination as they do not specify destination addresses.
• The extent of the network administrator's control, bandwidth of the networks, and ease of configuration also affects ACL placement and type of ACL used.

Configuring Standard ACLs

• Standard ACLs use the command access-list access-list-number deny | permit | remark source [source-wildcard] [log]
• Remove an ACL using global configuration command no access-list
• The remark keyword provides documentation, making access lists easier to understand.
• Cisco IOS applies internal logic when accepting/processing Access Control List (ACL) statements.
• Access list statements are processed sequentially, so the order in which statements are entered is important.
• Link a configured standard ACL to an interface in interface configuration mode using the command ip access-group {access-list-number | access-list-name} {in | out}
• Remove an ACL from an interface using the command no ip access-group on the interface, then use the global command no access-list to completely remove the ACL.
• Numbered ACLs can be commented by using the remark command
• Configure named standard ACLs using ip access-list {standard | extended} name
• The alphanumeric name cannot begin with a number.
• Standard ACL syntax is access-list access-list-number deny | permit | remark source [source-wildcard] [log]
• Activate named IP ACLs on an interface by using the command ip access-group name {in | out}
• Standard numbered ACLs can be edited using a text editor or using sequence numbers.
• show access-lists command will display line numbers for ACLs

Verifying ACLs

• Use the command show ip interface to verify ACLs
• The command show access-lists displays the ACL information

Extended ACLs

• Filters on source address, destination address, protocol, and port numbers.
• Extended ACLs are used due to the greater degree of control with precise traffic-filtering control.
• Extended ACLs filter on source IP addresses AND destination IP addresses.
• ACL’s can filter on upper-layer protocols (IP, TCP, UDP, ICMP, EIGRP, or source/destination port).

Configuring Extended ACLs

• Configured with access-list access-list-number {deny | permit | remark} protocol source [source-wildcard] [operator operand] [port port-number or name] destination [destination-wildcard] [operator operand] [port port-number or name] [established]
• Apply extended ACLs to interfaces with ip access-group {access-list-number | access-list-name in | out}
• Create named extended ACLs with the command ip access-list extended name
• Similar to standard ACLs, extended ACLs can be edited using a text editor or sequence numbers.