ACLs for IPv4 Configuration - Module 5

Questions and Answers

All access control lists (ACLs) must be ______.

planned

It is suggested that you use a text ______ and write out the specifics of the policy.

editor

Include ______ to document the ACL.

remarks

Always thoroughly test an ACL to ensure that it correctly applies the desired ______.

policy

Configure a standard IPv4 ACL to secure ______ access.

VTY

Use sequence numbers to edit existing standard ______ ACLs.

IPv4

Configure extended IPv4 ACLs to filter traffic according to networking ______.

requirements

Add the IOS configuration ______ to accomplish those tasks.

commands

A standard ACL can secure remote administrative access to a device using the ______ lines.

vty

The access-class command is used to secure ______ access.

remote administrative

To restrict access to the vty lines, an ACL must be applied to incoming ______.

traffic

The local database entry for users includes a username and ______.

password

After configuring the ACL, it's important to verify the VTY port is ______.

secured

To check ACL statistics, you can use the ______ command.

show access-lists

SSH traffic needs to be ______ for secure VTY access.

permitted

The example demonstrates how to configure an ACL to filter ______ traffic.

vty

The ACL needs to identify which administrative ______ should be allowed remote access.

hosts

R1 is configured to use the local database for ______.

authentication

The current statement must be deleted first with the no 10 ______.

command

Named ACLs can also use sequence ______ to delete and add ACEs.

numbers

An ACE is added to deny hosts ______.

192.168.10.11

The show access-lists command shows statistics for each statement that has been ______.

matched

The deny ACE has been matched ______ times.

20

The permit ACE has been matched ______ times.

64

The implied deny any statement does not display any ______.

statistics

To track how many implicit denied packets have been matched, you must manually configure the ______ command.

deny any

Use the clear access-list ______ command to clear the ACL statistics.

counters

In this Packet Tracer, you will complete the following objectives: Configure Devices and Verify ______.

Connectivity

The established keyword enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside private ______.

network

ACL 120 is configured to only permit returning web traffic to the inside ______.

hosts

A match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set, indicating that the packet belongs to an existing ______.

connection

To create a named extended ACL, use the ip access-list ______ configuration command.

extended

The named extended ACL called NO-FTP-ACCESS is created in the named extended ACL ______ mode.

configuration

Extended ACLs can filter on different port number and port name ______.

options

The first ACE uses the www port ______.

name

Both ACEs achieve exactly the same ______.

result

Configuring the port number is required when there is not a specific ______ name listed.

protocol

ACL 110 is applied inbound on the R1 G0/0/0 ______.

interface

The ACL permits both HTTP and ______ traffic.

HTTPS

TCP can also perform basic stateful firewall services using the TCP established ______.

keyword

Extended ACLs can be applied in various ______.

locations

In this example, the ACL filters ______ traffic.

HTTP

The example configures an extended ACL 100 to filter ______ traffic.

HTTP

Flashcards are hidden until you start studying

Study Notes

Module Overview

• Focus on implementing IPv4 Access Control Lists (ACLs) to filter traffic and secure administrative access.

Objectives

• Configure Standard IPv4 ACLs to meet networking requirements.
• Modify existing IPv4 ACLs using sequence numbers.
• Secure Virtual Terminal (VTY) ports with Standard IPv4 ACLs.
• Configure Extended IPv4 ACLs for detailed traffic filtering.

Configure Standard IPv4 ACLs

• Planning is essential: draft policies using a text editor before configuration.
• Use IOS commands to apply configurations following the planned policy.
• Include remarks for documentation purposes.
• Test ACLs thoroughly to ensure proper functionality.
• Modifying ACLs requires deleting the current configuration first with the no {sequence number} command.

Modifying IPv4 ACLs

• Named ACLs can be modified using sequence numbers for adding or deleting Access Control Entries (ACEs).
• Use show access-lists to check statistics of matched entries.
• The implicit deny statement does not display statistics unless manually configured with deny any.

Secure VTY Ports with Standard IPv4 ACL

• Secure remote access to devices using the VTY lines by creating and applying an ACL.
• Example configuration includes user authentication settings and permissions for SSH traffic.
• Verify VTY security through show access-lists to ensure correct restrictions are in place.

Configure Extended IPv4 ACLs

• Extended ACLs filter traffic based on specific protocols and port numbers.
• Example: ACL can filter HTTP and HTTPS traffic using both protocol names (like www) and port numbers (like 80).
• Generally applied close to the source of traffic for effectiveness.

TCP Established Extended ACL

• Allows stateful firewall functions with the TCP established keyword, permitting replies to outgoing requests while blocking unsolicited inbound traffic.
• Example involves configuring an ACL to allow only returning web traffic from the internet to internal hosts, based on TCP flags.

Named Extended IPv4 ACL

• Use descriptive naming for easy identification of ACL functions.
• Create named extended ACLs with the command ip access-list extended {name}.
• Enter ACE statements in the named ACL configuration mode for clarity.

Additional Practical Applications

• Named extended ACLs can manage multiple types of traffic through specific configurations like SURFING, which allows HTTP and HTTPS traffic to exit while restricting FTP access.