Chapter 9
Reading Organizer
After completion of this chapter, you should be able to:















Explain how ACLs are used to filter traffic.
Compare standard and extended IPv4 ACLs.
Explain how ACLs use wildcard masks.
Explain the guidelines for creating ACLs.
Explain the guidelines for placement of ACLs.
Configure standard IPv4 ACLs to filter traffic according to networking requirements.
Modify a standard IPv4 ACL using sequence numbers.
Configure a standard ACL to secure vty access.
Explain the structure of an extended access control entry (ACE).
Configure extended IPv4 ACLs to filter traffic according to networking requirements.
Configure an ACL to limit debug output.
Explain how a router processes packets when an ACL is applied.
Troubleshoot common ACL errors using CLI commands.
Compare IPv4 and IPv6 ACL creation.
Configure IPv6 ACLs to filter traffic according to networking requirements.
9.0 Introduction
1. According to the curriculum what is a firewall?
Firewalls are hardware or software solutions that enforce network security policies.
2. According to the curriculum what is an ACL?
An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer
protocols.
9.1 IP ACL Operation
3. Explain what tasks ACLs perform when configured.
a. Limit network traffic to increase network performance. For example, if corporate policy does
not allow video traffic on the network, ACLs that block video traffic could be configured and
applied. This would greatly reduce the network load and increase network performance.
1
b. Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are
not required because of network conditions, bandwidth is preserved.
c. Provide a basic level of security for network access. ACLs can allow one host to access a part
of the network and prevent another host from accessing the same area. For example, access to
the Human Resources network can be restricted to authorized users.
d. Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all
Telnet traffic.
e. Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to
access file types, such as FTP or HTTP.
4. Explain how packet filtering, sometimes called static packet filtering, controls access to a network.
By analyzing the incoming and outgoing packets and passing or dropping them based on given
criteria, such as the source IP address, destination IP addresses, and the protocol carried within
the packet.
5. What are ACEs?
An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs).
6. What information is extracted from the Layer 3 packet header by an ACL to evaluate network traffic?
a. Source IP address
b. Destination IP address
c. ICMP message type
7. What information can an ACL extract from the Layer 4 header?
a. TCP/UDP source port
b. TCP/UDP destination port
8. ACLs are configured to apply to inbound traffic or to apply to outbound traffic. Explain both in
detail.
a. Inbound ACLs –
Incoming packets are processed before they are routed to the outbound interface. An inbound
ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the
packet is permitted by the tests, it is then processed for routing. Inbound ACLs are best used to
filter packets when the network attached to an inbound interface is the only source of the
packets needed to be examined.
2
b. Outbound ACLs –
Incoming packets are routed to the outbound interface, and then they are processed through
the outbound ACL. Outbound ACLs are best used when the same filter will be applied to
packets coming from multiple inbound interfaces before exiting the same outbound interface.
9. What is the last statement in every ACL?
Implicit deny
10. What happens if an ACL does not have at least one permit statement?
All traffic will be blocked.
11. What are the two types of Cisco IPv4 ACLs?
a. standard
b. extended
12. What do standard ACLs permit or deny?
Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses.
13. List the attributes that extended ACLs filter IPv4 packets on?
a. Protocol type
b. Source IPv4 address
c. Destination IPv4 address
d. Source TCP or UDP ports
e. Destination TCP or UDP ports
f. Optional protocol type information for finer control
14. Standard and extended ACLs can be created using either a number or a name to identify the ACL
and its list of statements.
25. What are the two number ranges that can be assigned to standard ACLs?
a. 1 to 99
b. 1300 to 1999
26. What are the two number ranges that can be assigned to extended ACLs?
a. 100 to 199
b. 2000 to 2699
3
27. What are the requirements to use a name to identify an ACL?
a. Names can contain alphanumeric characters.
b. It is suggested that the name be written in CAPITAL LETTERS.
c. Names cannot contain spaces or punctuation.
d. Entries can be added or deleted within the ACL.
28. Explain what a wildcard mask is.
A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the
address to examine for a match.
29. IPv6 ACLs do not use wildcard masks. Explain what IPv6 duses instead.
The prefix-length is used to indicate how much of an IPv6 source or destination address should
be matched.
30. Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. What rules do
Wildcard masks use to match binary 1s and 0s:
a. Wildcard mask bit 0 - Match the corresponding bit value in the address.
b. Wildcard mask bit 1 - Ignore the corresponding bit value in the address
31. What are Wildcard masks are often referred to as?
An inverse mask.
32. What does a 0.0.0.0 wildcard mask stipulate in an ACL?
That every bit in the address must match exactly.
33. What does a 255.255.255.255 wildcard mask stipulate in an ACL?
That any address will match.
34. What does a 0.0.0.255 wildcard mask stipulate in an ACL?
That any bit in the fourth octet will match.
35. What is a shortcut method to determine which addresses will match the wildcard mask?
Subtract the subnet mask from 255.255.255.255
36. Explain what the two keywords below indicate in an ACL?
a. host- the wild card will only match a single address
4
b. any - the wildcard will match any address
37. Write in the correct wildcard mask for each statement.
38. Explain the guidelines for using ACLs.
a. Use ACLs in firewall routers positioned between your internal network and an external
network such as the Internet.
b. Use ACLs on a router positioned between two parts of your network to control traffic
entering or exiting a specific part of your internal network.
c. Configure ACLs on border routers, that is, routers situated at the edges of your networks. This
provides a very basic buffer from the outside network, or between a less controlled area of
your own network and a more sensitive area of your network.
5
d. Configure ACLs for each network protocol configured on the border router interfaces.
39. List and explain the three Ps.
a. One ACL per protocol –
To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the
interface.
b. One ACL per direction –
ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be
created to control inbound and outbound traffic.
c. One ACL per interface –
ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
40. Fill in the blanks:
a. An Access Control List (ACL) controls whether the router will permit or deny packet traffic
based on packet header criteria.
b. For outbound ACLs, incoming packets are processed after they are sent to the outbound
interface.
c. ACLs can filter traffic based on source/destination address, protocol, and port number.
d. ACLs are often used in routers between internal and external networks to provide a firewall.
e. For inbound ACLs, incoming packets are processed before they are sent to the outbound
interface.
f. ACLs can filter data traffic per protocol, per direction, and per interface.
g. A router with three interfaces and two network protocols (IPv4 and IPv6) can have as many
as twelve active ACLs.
h. For every ACL, there is an implied deny statement. If a packet does not match any of the ACL
criteria, it will be discarded.
41. Explain the basic rules for placing standard and extended ACLs.
a. Extended ACLs –
Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way,
undesirable traffic is denied close to the source network without crossing the network
infrastructure.
6
b. Standard ACLs –
Because standard ACLs do not specify destination addresses, place them as close to the
destination as possible. Placing a standard ACL at the source of the traffic will effectively
prevent that traffic from reaching any other networks through the interface where the ACL is
applied.
42. The placement of the ACL and the type of ACL used may also depend on what two other factors?
a. The extent of the network administrator’s control
b. Bandwidth of the networks involved
43. Like a standard ACL, an extended ACL can filter traffic based on the source address. What else can
an extended ACL filter traffic based on?
a. destination address
b. protocol
c. port number
44. The basic rule for placing an extended ACL is to place it as close to the source as possible. Explain
why.
This prevents unwanted traffic from being sent across multiple networks only to be denied
when it reaches its destination.
9.2 Standard IPv4 ACLs
45. Standard ACLs can be numbered from 1 to 99, and 1300 to 1999. What is the second set of ACL
numbers referred to as?
Expanded IP ACLs
46. Explain what the remark keyword used for?
The remark keyword is used for documentation and makes access lists a great deal easier to
understand.
47. How many characters can be used in an ACL remark?
Each remark is limited to 100 characters.
49. ACEs are processed sequentially. Therefore, the order in which ACEs are entered is important.
50. Explain the two commands that are required to completely remove an ACL from a router?
7
a. To remove an ACL from an interface, first enter the no ip access-group command on the
interface.
b. Then enter the global no access-list command to remove the entire ACL.
51. What is the advantage of naming an ACL?
Naming an ACL makes it easier to understand its function
52. Capitalizing ACL names is not required, so why should you do it anyway?
It makes them stand out when viewing the running-config output.
53. Where can remark commands be placed in an ACL?
The remark can go before or after a permit or deny statement.
54. There are two ways that a standard numbered ACL can be edited. These are:
Method 1: Using a Text Editor
Method 2: Using the Sequence Number
55. Which command is used to verify the ACL on the interface?
show ip interface
56. Once the ACL has been applied to an interface and some testing has occurred, the show access-lists
command will show statistics for each statement that has been matched
57. What command will clear the counters while testing an ACL?
clear access-list counters
58. The host statements are listed first but not necessarily in the order that they were entered. The IOS
puts host statements in an order using a special hashing function. The resulting order do?
Optimizes the search for a host ACL entry
59. Cisco recommends using SSH for administrative connections to routers and switches.
60. What does restricting VTY access do?
It is a technique that allows you to define which IP addresses are allowed Telnet access to the
router EXEC process.
8
61. What command is used to configured in line configuration mode restricts incoming and outgoing
connections between a particular VTY and the addresses in an access list?
Access-class
62. What are two recommend practices when configuring access lists on VTYs?
a. Only numbered access lists can be applied to VTYs.
b. Identical restrictions should be set on all the VTYs, because a user can attempt to connect to
any of them.
9.3 Extended IPv4 ACLSs
63. List what extended ACLs can filter on.
a. Source address
b. Destination address
c. Protocol
d. Port Numbers
64. What does the established parameter in an ACL specify?
The established parameter allows only responses to traffic that originates from a specific
network to return to that network.
65. Do extended ACLs require port numbers, port names, or both?
Both
66. Why would an network administrator put a permit ip any any statement at the end of their ACL?
This permit statement is added to ensure that no other traffic is blocked.
67. Which command is used to verify the ACL on the interface and the direction in which it was
applied?
The show ip interface command
68. What two methods can be used to edit an extended ACL?
a. Text editor
b. Sequence numbers
9.4 Troubleshooting ACLs
9
69. Explain in detail the process or logic the packets follow for an inbound ACL.
If the information in a packet header and an ACL statement match, the rest of the statements in
the list are skipped, and the packet is permitted or denied as specified by the matched
statement. If a packet header does not match an ACL statement, the packet is tested against
the next statement in the list. This matching process continues until the end of the list is
reached.
70. What command is at the end of every ACL?
At the end of every ACL is a statement is an implicit deny any statement.
71. Explain in detail the process or logic the packets follow for an outbound ACL.
Before a packet is forwarded to an outbound interface, the router checks the routing table to
see if the packet is routable. If the packet is not routable, it is dropped and is not tested against
the ACEs. Next, the router checks to see whether the outbound interface is grouped to an ACL.
If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer.
72. Explain what happens if there is an ACL applied to an outbound interface on a router.
If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the
outbound interface until it is tested by the combination of ACEs that are associated with that
interface. Based on the ACL tests, the packet is permitted or denied.
73. Check your understanding of how routers process inbound ACLs. Write in each ACL process to its
correct place in the flowchart.
10
74. Check your understanding of how routers process outbound ACLs. Write in each ACL process to its
correct place in the flowchart.
9.5 IPv6 ACL Creation
75. List the types of IPv4 ACLs.
a. Standard
o Numbered
o Named
List the types of IPv6 ACLs.
a. Named Only
b. Extended
o Numbered
o Named
76. Can an IPv4 ACL have the same name as an IPv6 ACL?
No
77. What is the command used to apply an IPv6 ACL to an interface?
ipv6 traffic-filter
78. IPv6 ACLs do not use wildcard masks. What is used to indicate how much of an IPv6 source or
destination address should be matched?
Prefix-length
79. What are the three implicit statements as the end of every IPv6 ACL?
a. permit icmp any any nd-na
b. permit icmp any any nd-ns
11
c. deny ipv6 any any
80. What is the purpose of the two implicit permit statements?
These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4.
81. List and explain the three basic steps to configure an IPv6 ACL.
Step 1 –
From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL.
Like IPv4 named ACLs, IPv6 names are alphanumeric, case sensitive, and must be unique. Unlike
IPv4, there is no need for a standard or extended option.
Step 2 –
From the named ACL configuration mode, use the permit or deny statements to specify one or
more conditions to determine if a packet is forwarded or dropped.
Step 3 –
Return to privileged EXEC mode with the end command.
82. What command is used to link an IPv6 ACL to an interface?
ipv6 traffic-filter
83. Which command can be used to verify that an IPv6 ACL is configured on a specific interface and
show if it’s inbound or outbound?
show ipv6 interface
84. What in formation does the show access-lists command display?
All the access lists on the router including both IPv4 and IPv6 ACLs.
85. The output from the show running-config command includes all of the ACEs and remark
statements.
12
13