IPv4 ACL Modification Techniques

Questions and Answers

An ACL cannot be modified after it is configured.

False

Using a text editor to modify an ACL helps simplify editing tasks.

True

ACE statements can be overwritten directly using the existing sequence numbers.

False

Sequence numbers are essential for deleting or adding ACEs in an ACL.

True

The first step in correcting an error in an ACL is to delete the existing ACL.

False

Using the 'no 10' command deletes the statement with sequence number 10 in an ACL.

True

An ACL with multiple ACEs is easier to manage directly on the router interface.

False

The text editor method involves pasting the edited ACL back to the router after correcting it.

True

ACL 120 is configured to permit returning HTTP traffic to the inside hosts.

False

Named extended ACLs do not require a specific command to be created.

False

A match occurs if the TCP segment has the SYN flag set.

False

The BROWSING ACL permits only returning web traffic to the inside hosts.

True

The 'show access-lists' command confirms active connections from the inside hosts to secure web resources.

True

To create an access control entry (ACE) in a named ACL, you must be in global configuration mode.

False

The SURFING ACL blocks all web traffic from exiting to the internet.

False

R1 G0/0/0 interface has an outbound ACL applied to it.

True

Returning TCP segments must have both the ACK and RST flags set to match the ACL.

False

Creating a named ACL simplifies understanding its purpose.

True

The SURFING ACL permits HTTP and HTTPS traffic from inside users to exit the G0/0/1 interface connected to the internet.

True

The BROWSING ACL is applied inbound on the R1 G0/0/0 interface.

False

The show access-lists command is used to verify the ACL statistics.

True

The permit secure HTTPS counters in the SURFING ACL do not increase when traffic is permitted.

False

An extended ACL can only be edited using command line interfaces.

False

Sequence numbers can be used for editing one or two ACEs in an ACL.

True

The ACE sequence number 10 in the SURFING ACL has a correct source IP networks address.

False

Traffic returning from the internet is blocked by the BROWSING ACL.

False

The SURFING ACL is applied outbound on the R1 G0/0/1 interface.

False

HTTP traffic is allowed to return to the inside private network by the BROWSING ACL.

True

To create a named extended ACL, the command used is 'Router(config)# access-list extended name'.

False

The sequence numbers assigned to an ACL ACE are static and must be manually specified by the user.

False

The 'show ip interface' command can be used to verify the ACL applied to the interface.

True

The established keyword in an ACL can only be used for UDP protocol filtering.

False

An ACL can provide basic stateful firewall services using the TCP established keyword.

True

The no sequence_# command is used to add a new statement to an Extended ACL.

False

An Extended ACL named PERMIT-PC1 allows TCP access to FTP, SSH, Telnet, DNS, HTTP, and HTTPS for PC1.

True

The REPLY-PC1 ACL is designed to permit all traffic to PC1 without any conditions.

False

In the configuration, the PERMIT-PC1 ACL is applied outbound on the R1 G0/0/0 interface.

False

Only one Extended ACL can be applied to a single interface at a time.

False

The show access-lists command is used to verify changes made to the ACL configuration.

True

The command 'implicitly deny' in the context of ACLs means all traffic is allowed unless specified otherwise.

False

Creating a named Extended ACL provides more flexibility than numeric ACLs.

True

The REPLY-PC1 ACL is used to block all traffic coming to PC1.

False

TCP access for PC1 is denied by default unless explicitly permitted by an ACL.

True

Study Notes

Modifying IPv4 ACLs

• Two methods for modifying Access Control Lists (ACLs) include using a text editor or sequence numbers.
• Complexity arises with multiple Access Control Entries (ACEs), making changes difficult if the expected behavior is not achieved.

Text Editor Method

• Create ACLs in a text editor to facilitate planning and revisions.
• The process involves copying the ACL from the device, editing it, deleting the existing ACL, and pasting the corrected version back into the router.

Sequence Number Method

• Edit ACEs using sequence numbers; a statement must be deleted before it can be replaced.
• Use the command ip access-list standard to make edits, and apply no <sequence_number> to remove a statement.

Configuring Extended IPv4 ACLs

• Extended ACLs allow more granular control over network traffic, with an example being ACL 120, which permits specific returning web traffic within established TCP connections.
• Return traffic is identified by ACK or reset (RST) flags, indicating an ongoing connection.

Named Extended IPv4 ACLs

• Naming ACLs increases clarity about their function; created using ip access-list extended.
• An example demonstrates two named ACLs:
  • SURFING: Permits HTTP/HTTPS traffic from internal users.
  • BROWSING: Allows returning web traffic while denying all other outbound traffic.

Application of Named Extended ACLs

• ACLs are applied to interfaces, with SURFING configured inbound and BROWSING outbound on the R1 G0/0/0 interface.
• Use show access-lists to verify the counts of permitted traffic.

Editing Extended ACLs

• Extended ACLs may be efficiently edited using a text editor for multiple changes; sequence numbers are used for single or minor edits.
• To correct errors, the original ACE is deleted with no <sequence_number> and a revised statement is added.

Additional Named Extended ACL Example

• PERMIT-PC1: Allows only specific TCP access (FTP, SSH, Telnet, DNS, HTTP, HTTPS) for a designated PC (192.168.10.10) while denying others.
• REPLY-PC1: Permits only specified returning traffic to PC1.

Key Commands and Concepts

• Configuration commands for ACL creation include access-list for numbered ACLs and ip access-list for named ACLs.
• ACLs can function with stateful firewall capabilities using the established keyword.
• Diagnostic commands like show ip interface confirm ACL settings and their application direction.

New Terms and Commands

• Numbered extended ACL, named extended ACL, access-control commands like show access-lists, and modular ACL management commands are crucial for effective network security.

Description

This quiz explores two methods for modifying IPv4 Access Control Lists (ACLs) after they have been configured. Test your knowledge on the processes and best practices involved in managing network security. Perfect for anyone looking to deepen their understanding of Cisco networking.