Chapter 7 - Access Control Lists (ACLs) questions and answers

Chapter 7 - Access Control Lists (ACLs) questions and answers What is an ACL? Access Control List - A series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header. What tasks are performed by an ACL when configured? Limit network traffic to increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Filter traffic based on traffic type. Screens host to permit or deny access to network services. True or False: A router does not have ACLs configured by default. True. By default a router does not filter traffic What is an ACE? Access Control Entry - a single permit or deny statement on an ACL. Also called an ACL statement. At what OSI layer(s) do(es) Standard ACL filtering occur? Layer 3 At what OSI layer(s) do(es) Extended ACL filtering occur? Layer 3 & Layer 4 What type of IPv4 address is used to create ACL filtering critera? An IPv4 source address. True or False: Starting at the top of the ACL, the router will continue to search for matching ACE's until all matches are found. False. After a match is made, the remaining ACEs in the ACL, if any, are not analyzed. True or False: The last statement of an ACL is always an implicit deny. True. The statement is automatically inserted at the end of each ACL even though it is not physically present. Operation of Inbound ACLs Incoming packets are processed before they are routed to the outbound interface. Operation of Outbound ACLs Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Wildcard Mask A string of 32 binary digits used by the router to determine which bits of the address to examine for a match. Wildcard mask bit 0 Match the corresponding bit value in the address. Wildcard mask bit 1 Ignore the corresponding bit value in the address. True or False: IPv6 ACLs use 64-bit wildcard masks. False. IPv6 ACLs do not use wildcard masks, instead the prefix-length is used. To simplify working with wildcard masks, which two commands can be used to replace 0.0.0.0 and 255.255.255.255 respectively? host - 0.0.0.0 any - 255.255.255.255 Guidelines for using ACLs Firewall Routers between internal/external, such as internet. Routers between two parts of internal network to control entering/exiting traffic. Boarder routers on network edge. Network protocols on border routers. Rules for Applying ACLS One ACL per protocol One ACL per direction One ACL per interface What is the benefit of basing your ACLs on the security policy of the organization? Ensures you implement organizational security guidelines What is the benefit of preparing a description of what you want your ACLs to do? Helping you avoid inadvertently creating potential access problems. What is the benefit of using a text editor to create, edit, and save ACLs? Helping you create a library of reusable ACLs. What is the benefit of testing your ACLs on a development network before implementing them on a production network. Helping you to avoid costly errors. What are the basic rules for ACL placement? Standard - As close to the destination as possible. Extended - As close to the source as possible Other considerations for ACL placement Network Admin's Control Network Bandwidth Ease of Configuration Command syntax to create a numbered ACL access-list (access-list-number) {deny | permit | remark} (source) (source-wildcard) { log } Command to bind an ACL to an interface ip access-group {access-list-number | access-list-name} {in | out} Command to remove an ACL from an interface no ip access-group Command syntax to create a named ACL ip access-list {standard | extended} (name) Command to add an entry to a named ACL {permit | deny | remark} (source {source-wildcard}) {log} Command to delete an individual statement in a named ACL In named ACL configuration mode, no (sequence-number) Command to view ACLs show access-lists Command to reset ACL counters clear access-list counters What is the use of the ACCESS-CLASS command? Configured in line configuration mode, access-class restricts incoming and outgoing connections between a particular VTY and the addresses in an access list. Command syntax for access-class access-class (access-list-number) {in {vrf-also} | out} What two things should be considered when configuring ACLs on VTYs? Both named and numbered access lists can be applied to VTYs. Identical restrictions should be set on all the VTYS, because a user can attempt to connect ot any of them. True or False: A single-entry ACL with only one deny entry is an effective way to restrict access to only one user. False. A single-entry ACL with only one deny entry has the effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is blocked.