Access Control Lists in Networking

Questions and Answers

What determines the action taken on a packet when using Access Control Lists (ACLs)?

The number of packets processed previously

The type of interface on the router

The size of the ACL

The order of the entries in the ACL (correct)

What happens if a packet does not match any entries in an ACL?

The packet is dropped (correct)

The packet is routed to a default gateway

The packet is sent for further inspection

The packet is logged for monitoring

Which command component is necessary for configuring a standard numbered IPv4 ACL?

Layer 2 MAC address

Access Control Entry (ACE) number (correct)

Routing Protocol Identifier

Destination IP address

In standard numbered IPv4 ACLs, what does the access-list command primarily match?

Source IP address

What is implied to be at the end of every Access Control List for IPs?

A deny all statement

Which term is used to describe each line in an Access Control List?

Access Control Entry (ACE)

How does the router process packets against the ACL?

In a first-match basis from top to bottom

To match a specific source IP address in an ACL, what must be done?

Type the entire IP address in the command

What actions can be performed when a match occurs in an IP ACL?

Discard the packet or allow it to proceed

Which type of ACL is limited to only matching the source IP address of packets?

Standard numbered ACLs

What is the purpose of the ACL number range 100–199?

Designated for extended numbered ACLs

When an ACL is applied inbound on an interface, what is the primary function it serves?

It compares and filters incoming packets

Which of the following statements is true regarding the configuration of IP ACLs?

ACLs can either be identified by numbers or names.

Why would a network engineer choose to use extended ACLs over standard ACLs?

Extended ACLs provide greater flexibility in filtering based on multiple criteria.

What is a significant feature introduced for ACL management in recent Cisco IOS versions?

Improved editing capabilities with sequence numbers

Which of the following does NOT describe the function of a standard numbered ACL?

It can match based on both source and destination IP addresses.

What is the correct way to determine a wildcard mask for a subnet with a mask of 255.255.252.0?

Subtract the subnet mask from 255.255.255.255

Which command is used to permit all packets in an IP ACL?

permit any any

What information does the 'show ip access-lists' command provide?

It lists details specifically about IPv4 ACLs.

In the context of an ACL, what is typically the first step in implementing a standard numbered ACL?

Define the number for the ACL

Which command shows the number of packets that have matched each command in an ACL?

show access-lists

What is the role of the wildcard mask in an ACL?

It identifies all hosts within a given subnet.

When filtering packets from servers to clients, what does allowing access to hosts A, B, and others in their subnet, while denying others imply?

Using an ACL that permits only specific hosts.

What does the configuration process for a standard numbered ACL initiate with?

The specification of the access-list number.

Where can an Access Control List (ACL) be applied on a router?

Both inbound before routing decisions and outbound after routing decisions

Which of the following correctly describes the action a router takes when processing an inbound IP packet against an ACL?

The router checks the packet against ACL criteria to decide its fate.

When applying an ACL to filter packets sent from host B to server S1, which interface must it be configured on?

R1’s S0/0/0 interface

What is required for an ACL to effectively filter a packet?

The ACL must be applied on an interface that processes the packet in the correct direction.

What determines which packets are discarded or allowed in an ACL?

The header fields of the packets including source IP, destination IP, and port numbers

If an ACL is enabled on the R2’s F0/1 interface, what effect will it have on packets sent from host B to server S1?

It will have no effect since that interface is not on the route.

What does 'matching packets' in ACL terms refer to?

Setting conditions on how to identify packets to be filtered

Which direction can an ACL be applied to filter packets?

In both directions as needed

What type of Access Control List (ACL) should be used to address both source and destination IP addresses?

Extended ACL

What is the primary limitation of standard ACLs mentioned in the content?

They can only filter by source IP address.

What is the implicit action taken by ACLs if a packet does not match any rules?

Drop the packet.

Which command would correctly permit traffic from server S1 with an IP of 10.2.2.1 using a standard ACL?

access-list 1 permit 10.2.2.1

What happens when the same IP address is both permitted and denied in a standard ACL?

The first matching rule takes precedence, blocking the IP.

In the context of ACLs, what role does the remark parameter play?

It adds documentation to the ACL for clarity.

Why might the immediate use of another command to filter packets from the same source IP fail?

The first-match logic prevents subsequent rules from being evaluated.

What troubleshooting aspect is most critical when working with IPv4 ACLs?

Understanding the address and wildcard mask.

Study Notes

Access Control Lists (ACLs)

• ACL can be applied inbound or outbound to a router.
• Inbound ACLs are applied before routing decisions while outbound ACLs are applied after routing decisions.
• ACLs filter packets based on criteria specified in the configuration.
• To effectively filter a packet, an ACL must be applied on the interface that processes the packet in the same direction the packet flows.
• ACLs evaluate each packet against a series of configured rules (Access Control Entries, or ACEs) to determine the packet’s fate.

Standard Numbered IPv4 ACLs

• Only match the source IP address of the packet.
• Configured using numbers.
• Employ first-match logic - once a packet matches a rule in the ACL, the router takes the action specified in that rule and stops further evaluation.
• An implicit "deny all" rule exists at the end of every ACL.
• Enable the entire ACL on a specific interface and direction.

Matching Logic in Standard Numbered IPv4 ACLs

• Standard numbered ACLs utilize the access-list command for configuration.
• Each access-list command specifies an action (permit or deny), and matching logic.
• access-list commands can match the exact source IP address or portions of the source address using a wildcard mask.
• Wildcard masks are calculated by subtracting the subnet mask from 255.255.255.255.
• To match any/all packets, use the any keyword.

Implementing Standard Numbered IPv4 ACLs

• ip access-list standard <ACL-number> command is used to create a standard ACL.
• access-list <ACL-number> command is used to define an access-list entry (ACE).
• permit or deny is used to specify the action.
• The source IP address or wildcard mask is specified as the matching logic.

Example 1: Standard Numbered IPv4 ACL Filtering

• In the example, ACL 1 on interface S0/0/1 is used to filter packets inbound to router R2.
• ACL 1 has two rules:
  • access-list 1 permit 10.1.1.1 - permits packets from host A.
  • access-list 1 deny 10.1.1.2 - denies packets from host B.

Example 2: Standard Numbered IPv4 ACL Limitations

• Example 2 demonstrates the limitations of standard numbered ACLs in handling complex filtering requirements.
• Standard ACLs cannot filter based on both source and destination IP addresses.
• Example 2 highlights the need for extended ACLs for more comprehensive filtering.

Troubleshooting and Verification of Standard Numbered IPv4 ACLs

• show ip access-lists or show access-lists commands provide information on IPv4 and/or other ACLs.
• Output includes the type (standard), number, and packet counts for each rule.
• Use traceroute and debug ip access-list commands to troubleshoot issues and verify ACL behavior.

Description

This quiz covers the fundamentals of Access Control Lists (ACLs), specifically focusing on inbound and outbound rules, their match logic, and the use of Standard Numbered IPv4 ACLs. Test your understanding of how ACLs operate to filter packets based on source IP addresses and the evaluation process through Access Control Entries (ACEs).