IP ACL Operation

Questions and Answers

What is the primary function of Access Control Lists (ACLs) in network security?

• To monitor network performance and generate reports.
• To encrypt network traffic for secure transmission.
• To route network traffic to the fastest available path.
• To filter network traffic based on defined criteria. (correct)

Which of the following is a key characteristic of standard IPv4 ACLs?

• They filter traffic based only on the destination IP address.
• They filter traffic based on both source and destination IP addresses.
• They filter traffic based only on the source IP address. (correct)
• They filter traffic based on application type.

Which of the following is a key advantage of using extended ACLs over standard ACLs?

• Extended ACLs are compatible with a wider range of network devices.
• Extended ACLs are processed faster by the router.
• Extended ACLs offer more granular control over network traffic. (correct)
• Extended ACLs are simpler to configure.

What is the purpose of a wildcard mask in an ACL?

To specify which bits of an IP address should be matched or ignored. (B)

What is the implied action at the end of every ACL?

deny any (C)

When configuring an ACL, what does the 'remark' command do?

It adds a comment to the ACL configuration. (B)

Which command is used to apply an ACL to an interface?

ip access-group (A)

Where is the generally recommended location to place extended ACLs?

As close to the source as possible. (C)

What is the range of numbers that identifies standard IP ACLs?

1-99 (B)

Which of the following commands removes an ACL from an interface?

no ip access-group (C)

Which of the following is not a valid consideration when creating ACLs?

Ensuring every interface has an ACL applied. (B)

Which of the following is true regarding ACL processing by a router?

The router processes ACL rules sequentially until a match is found. (C)

What command is used to view the ACLs configured on a Cisco router?

show access-lists (A)

Which of the following best describes the function of the established keyword in an extended ACL rule?

Permits only established TCP connections. (B)

What is a significant limitation of numbered ACLs compared to named ACLs when modifying them?

Numbered ACLs need to be completely removed and recreated to make changes without sequence numbers. (B)

You need to block all ICMP traffic originating from the 192.168.1.0/24 network destined to any host. Which of the following extended ACL configurations is MOST appropriate?

access-list 101 deny icmp 192.168.1.0 0.0.0.255 any (D)

An administrator wants to permit only HTTP and HTTPS traffic to a web server with the IP address 203.0.113.5 from any source. Which extended ACL configuration is most appropriate?

access-list 101 permit tcp any host 203.0.113.5 eq 80 and access-list 102 permit tcp any host 203.0.113.5 eq 443 (C)

Which of the following is true about ACL statistics?

ACL statistics can be viewed using the show access-lists command. (B)

An engineer configures an ACL to deny all traffic, but then complains that no traffic is being blocked. What is the most likely cause?

ACL has not been applied to an interface. (D)

Which of the following commands would remove sequence number 20 from the extended ACL named RESTRICT_ACCESS?

Router(config)# ip access-list extended RESTRICT_ACCESS ; Router(config-ext-nacl)# no 20 (C)

By default, a router is configured to filter network traffic without any additional configuration.

False (B)

An ACL, when applied to an interface, evaluates all network packets to determine if they should be permitted or denied.

True (A)

Access Control Entries (ACEs) in an ACL are processed randomly.

False (B)

ACLs can control traffic based on criteria found only in the data portion of a packet.

False (B)

An inbound ACL filters packets after they are routed to the outbound interface.

False (B)

The implicit deny at the end of an ACL can be overridden by explicitly permitting all traffic.

False (B)

An ACL that does not have at least one permit statement will block all traffic.

True (A)

Standard ACLs can filter IP packets based on both the source and destination address.

False (B)

In a wildcard mask, a '0' bit means 'do not check that bit' and a '1' bit means 'check that bit'.

False (B)

The command access-list 1 permit any will permit all traffic.

True (A)

According to Cisco's best practices, ACLs should be based on the IT staff's understanding, irrespective of organizational security policies.

False (B)

Standard ACLs should be placed as close to the source of the traffic as possible.

False (B)

When configuring ACLs, the access-group command should be used in global configuration mode.

False (B)

In the context of ACLs, the term 'established' refers to packets that are initiating a new TCP connection.

False (B)

Named ACLs are removed using the global configuration command no ip access-list name.

False (B)

In the command, access-list 103 permit tcp 192.168.20.0 0.0.0.255 any eq 23, the port number 23 refers to FTP data.

False (B)

The command, access-list 1 permit 192.168.4.5 0.0.0.0, is the same as access-list 1 permit host 192.168.4.5.

True (A)

If an access list is applied to an interface, and that ACL contains no permit statements than all traffic will be allowed.

False (B)

If the subnet mask is /27, calculating the wildcard mask involves subtracting 255.255.255.224 from 255.255.255.255, resulting in a wildcard mask of 0.0.0.31.

True (A)

In the command access-list 101 deny tcp any eq telnet any, the eq keyword cannot be used to filter traffic from any source.

False (B)

Flashcards

What is an ACL?

A sequential list of permit or deny statements used to filter network traffic. Also known as ACEs.

How do ACLs work?

Packets are evaluated against ACL statements in order, stopping at the first match. No match results in an implicit deny.

ACL Direction

ACLs operate either inbound (before routing) or outbound (after routing) on an interface.

Standard ACLs

Filters IP packets based only on the source address.

Extended ACLs

An ACL that filters IP packets based on source and destination IP addresses, protocols, and port numbers.

Wildcard Masks

Used to match specific bits in an IP address for ACL filtering. Bit 0 means match, bit 1 means ignore.

Where should ACLs be placed?

Configured on firewall routers, between network segments, and on border routers.

Extended ACL Placement

Locate extended ACLs as close as possible to the traffic source. This helps avoid unnecessary traffic.

Standard ACL Placement

Locate standard ACLs as close as possible to the destination, since they filter based on destination addresses.

ACL 'Three P's

Apply ACLs per protocol, direction (in/out), and interface to effectively control traffic flow.

Editing an extended ACL

Can be accomplished using a text editor or Sequence numbers.

ACL Packet Filtering

An ACL is a packet filter that forwards or denies packets based on filtering rules.

ACL Configuration

Configure ACLs on border routers for each network protocol.

Calculating Wildcard Masks

Subtract the subnet mask from 255.255.255.255.

Using ACLs

Use firewall routers positioned between your internal network and the internet.

ACL Security Policies

Base ACLs on your organization's security policy.

Implicit Deny

The last statement of an ACL that automatically denies all traffic.

Standard ACL command keywords

acl, deny, permit, source, source-wildcard and log.

ACL Processing Order

ACLs are evaluated top to bottom, the order of statements is important.

Verify ACLs

Use 'show ip interface' command.

ACL Remarks

The keyword used for documentation which makes access lists easier to understand.

Study Notes

IP ACL Operation

• ACLs filter traffic.
• Standard and extended IPv4 ACLs are different.
• ACLs use wildcard masks.
• There are guidelines for creating and placing ACLs.
• Standard IPv4 ACLs are configured to filter traffic based on networking requirements.
• Standard IPv4 ACLs are modified using sequence numbers.
• Standard ACLs are configured to secure vty access.
• The structure of an extended access control entry (ACE) is explained.
• Extended IPv4 ACLs are configured to filter traffic based on networking requirements.
• ACLs can limit debug output.
• Routers process packets when an ACL is applied.
• Common ACL errors are troubleshooted using CLI commands.
• Routers do not filter traffic by default
• ACLs evaluate network packets
• ACLs determine if a packet is permitted or denied
• Access control entries (ACEs) or ACL statements are sequential lists of permit or deny statements
• ACLs control whether a router permits or denies packets based on criteria in the header
  • Source and destination IP addresses
  • IP Protocols (ICMP, TCP, UDP, EIGRP, etc)
  • TCP/UDP source and destination ports
• Routers act as packet filters by forwarding or denying packets based on filtering rules
• Inbound ACLs filter packets at a specific interface before routing takes place
• Outbound ACLs filter packets, regardless of the inbound interface, after routing takes place
• The last statement in an ACL is an implicit deny that is automatically inserted even if not physically present
• This implicit deny blocks all traffic
• All traffic will be blocked if there is no permit statement

Types of Cisco IPv4 ACLs

• Standard ACLs filter IP Packets based on the source address only
• Extended ACLs filter IP packets based on multiple attributes
  • Source and destination IP addresses
  • Source and destination TCP and UDP Ports
  • Protocol type/ Protocol number (IP, ICP, UDP, TCP, etc)

Numbering and Naming ACLs

• You assign a Numbered ACL based on which protocol you want filtered
• (1 to 99) and (1300 to 1999): Standard IP ACL
• (100 to 199) and (2000 to 2699): Extended IP ACL
• You assign a Named ACL by providing the name of the ACL
  • Names can contain alphanumeric characters
  • Suggest names in CAPITAL LETTERS
  • Names cannot contain spaces or punctuation
  • Entries can be added or deleted

ACL Wildcard Masking

• Wildcard masks and subnet masks differ in the way they match binary 1s and 0s
  • Wildcard mask bit 0 - Match the corresponding bit value in the address
  • Wildcard mask bit 1 - Ignore the corresponding bit value in the address
• Wildcard masks are often "inverse masks"
• Unlike Subnet masks, wildcard mask binary 1 is equal to match, and wildcard bit 0 is no match

Calculating the Wildcard Mask

• To calculate a wildcard mask, subtract the subnet mask from 255.255.255.255

Wildcard Mask Keywords

• To match all address bits, abbreviate this wildcard mask using IP address preceded by the keyword host ( host 192.168.10.10 )
• To ignore all address bits, abbreviate expression with the keyword any

Guidelines for Creating ACLs

• Use ACLs between your internal network and an external network like the Internet
• Use ACLs on a router between two parts of your network to control inbound and outbound traffic
• Configure ACLs on border routers at the edges of networks
• Configure ACLs for each network protocol configured on the border router interface

The Three Ps

• One ACL per protocol: To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
• One ACL per direction: ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
• One ACL per interface: ACLs control traffic for an interface, for example, GigabitEthernet 0/0

ACL Best Practices

• Base ACLs on the security policy of the organization to implement security guidelines
• Describe what each ACL does to avoid inadvertently creating issues
• Use a text editor to create, edit and save ACLs so you can create a library of them for later
• Test ACLs on a development network before implementing them on a production network since this will help avoid costly errors

Guidelines for ACL Placement

• Every ACL should be placed where it has the greatest impact on efficiency
• Extended ACLs: Locate as close as possible to the source of the traffic to be filtered.
• Standard ACLs: Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
• Placement of the ACL and therefore the type of ACL used may also depend on: the extent of the network administrator's control, bandwidth of the networks involved, and ease of configuration.

Configure Standard IPv4 ACLs

• To configure Standard IPv4 ACLs
  • Enter global configuration mode, and define statements of what to filter
  • Enter interface configuration mode and identify the ACL and the direction to filter

Configuring a Standard ACL

• The full syntax of the standard ACL command is as follows: Router(config)# access-list access-list-number deny | permit | remark source [ source-wildcard ] [ log ]
• The global configuration no access-listcommand will remove the ACL
• Use the remark keyword for documentation

Applying Standard ACLS to Interfaces

• Link a standard ACL with the ip access-group command in interface configuration: Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
• To remove an ACL, use the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.

Creating Named Standard ACLS

• Use the command Router(config)#ip access-list (standard | extended ) name, the name should be unique, alphanumeric and cannot begin with a number
• To configure, use Router(config-std-nacl) or Router(config-ext-nacl)# (permit | deny | remark} {source [source- wildcard)} [log]
• To activate, use Router(config-if)#ip access-group name [in | out] on an interface

Configuring extended ACLs

• Extended ACLs can filter on
  • Source address
  • Destination address
  • Protocol
  • Port Numbers
• Extended ACLs are used more often than standard ACLs because they provide a greater degree of control and more precise traffic filtering control

Applying Extended ACLs to Interfaces

• Apply extended ACLs on interfaces by permitting a TCP and identifying the source and destination IP addresses, their wildcard numbers and the destination "eq" (Equal) Port number and destination port number
  • For example
    • R1 (config)#access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80
    • R1 (config)#access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 443
• To configure the incoming and outgoing on an interface
  • R1(config)#interface g0/0
  • R1 (config-if)#ip access-group 103 in
  • R1 (config-if)#ip access-group 104 out

Editing Extended and Standard ACLs

• Editing an extended or standard ACL involves the same process
• ACLs can be modified using a text editor or sequence numbers