Name _______________________________________________________ Date ________________
Module 4 - ACL Concepts
Enterprise Networking, Security, and Automation– Semester 3
Student Version
Module 4 Sections:
4.0 Introduction
4.1 Purpose of ACLs
4.2 Wildcard Masks in ACLs
4.3 Guidelines for ACL Creation
4.4 Types of IPv4 ACLs
4.5Module Practice and Quiz
Required Materials:
Reading Organizer
Packet Tracer Activities:
None
Labs: None
Module’s 3 – 5 Exam
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
1
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
Page intentionally left blank.
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
2
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
Points__________ / ____79___
Name__________________________________________________________ Date ________________
Module 4 - ACL Concepts
Reading Organizer
Student Version
Note: The Reading Organizer has weighted scoring. Any question with the word explain, define, or
describe in it is expected to have a longer answer and is worth two points each.
After completion of this module, you should be able to:
•
•
•
•
Explain how ACLs filter traffic.
Explain how ACLs use wildcard masks.
Explain how to create ACLs.
Compare standard and extended IPv4 ACLs
4.1 Purpose of ACLs
1. Explain what an ACL does.
The router performs the task of evaluating all network packets as they pass through the interface to determine if the
packet can be forwarded
2. An ACL uses a sequential list of permit or deny statements. What are these statements called?
Access control entries
3. List the tasks performed by routers that require the use of ACLs to identify traffic.
a.
Limit network traffic to increase network performance
b.
Provide traffic flow control
c.
Provide a basic level of security for network access
d.
Filter traffic based on traffic type
e.
Screen hosts to permit or deny access to network services
f.
Provide priority to certain classes of network traffic
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
3
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
4. At what OSI model layers does packet filtering occur?
Controls access to a network by analyzing the incoming and/or outgoing packets and forwarding them or discarding
them based on a given criteria
5. Cisco routers support two types of ACLs. List and describe both.
Standard ACL ACLs only filter at layer 3 using the source IPv4 address only
a. ____________________________ -
Extended ACL
ACLs filter at layer 3 using the source and / or destination IPv4 address
b. ____________________________ - They can also filter at layer 4 using TCP, UDP ports, and optional protocol
type information for finer control
inbound
outbound
6. ACLs can be configured to apply to ________________
traffic and __________________traffic.
do not
7. ACLs ________________________
act on packets that originate from the router itself.
8. Why are inbound ACL’s considered more efficient?
It saves the overhead of routing lookups if the packet is permitted by the ACL, it is then processed for routing. Inbound ACLs
are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to
be examined.
9. Explain when is it best to use an outbound ACL?
Best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same
outbound interface.
10. Describe the operational steps used when traffic has entered a router interface with an inbound
standard IPv4 ACL configured.
1. The router extracts the source IPv4 from the packet header
The router starts at thetop of the ACL and compares the source IPv4 address to each ACE in a sequential order
2.
When a match is made, the router carries out the instruction, either permitting or denying the packet, and the
remaining ACEs in the ACL, if any, are not analyzed.
3.
If the source IPv4 address does not match any ACEs on the ACL, the packet is discarded because there is an
implicit deny ACE automatically applied to all ACLs
4.
11. What is the last implicit ACE statement of every ACL?
The last ACE statement of an ACL is always an implicit deny that blocks all traffic. By default, this statement is
automatically implied at the end of an ACL even though it is hidden and not displayed in the config
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
4
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
12. Explain why an ACL must have at least one permit statement.
Otherwise all traffic will be denied due to the implicit deny ACE statement
4.2 Wildcard Masks in ACLs
14. Describe the two rules wildcard masks use to match binary 1s and 0s.
a. Wildcard mask bit 0 –
Match the corresponding bit value in the address
b. Wildcard mask bit 1 –
Ignore the corresponding bit value in the address
15. List the three ways wildcard masks can be used to filter traffic.
a. Wildcard to match a host
b. Wildcard mask to match an IPv4 subnet
c.
Wildcard mask to match an IPv4 address range
16. One shortcut method to calculate a wildcard mask is to subtract the subnet mask from
255.255.255.255. Using this shortcut determine the wildcard mask for the following subnet masks.
a. 255.255.255.255
- 255.255.255. 0
0. 0. 0.255
b. 255.255.255.255
- 255.255.240. 0
0. 0. 15.255
c. 255.255.255.255
- 255.192. 0. 0
0. 63.255.255
d. 255.255.255.255
- 255.255. 0. 0
e. 255.255.255.255
- 255.255. 0. 192
f. 255.255.255.255
- 255.224. 0. 0
255.255
g. 255.255.255.255
- 255.255.128. 0
0.0.127.255
0.31.255.255
0.0.255. 63
h. 255.255.255.255
- 255.255.255.252
0.0.0.191
0.0.0.3
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
i. 255.255.255.255
- 255.255.255. 64
5
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
17. The Cisco IOS provides two keywords to identify the most common uses of wildcard masking. List
and describe both.
host
a. ____________________________
-
Any
b. ____________________________ -
This keyword substitutes for the 0.0.0.0 mask. This mask states that
all IPv4 address bits must match to filter just one host address
This keyword substitutes for the 255.255.255.255 mask.
This mask says to ignore the entire IPv4 address or to accept any
addresses.
4.3 Guidelines for ACL Creation
18. There is a limit on the number of ACLs that can be applied on a router interface. List what a router
interface can have.
a.
One outbound IPv4 ACL
b.
one Inbound IPv4 ACL
c.
One outbound IPv6 ACL
d.
One Inbound IPv6 ACL
Do not
19. ACLs ______________________
have to be configured in both directions.
20. Basic planning is required before configuring an ACL. List the guidelines that form the basis of an
ACL best practices.
a. Base ACLs on the organizational security policies
b. Write out what you want the ACL to do
c. Use a text editor to create, edit, and save all your ACLs
d. Document the ACLs using the remark command
e.
Test the ACLs on a development network before implementing them on a production network.
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
6
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
4.4 Types of IPv4 ACLs OSPF Features and Characteristics
21. List and describe the two types of IPv4 ACLs.
Standard ACL
a. ____________________________
-
These permit or deny packets based on the source IPv4 addr
Extended ACL
b. ____________________________
- These permit or deny packets based on the source IPv4 and destination
Ipv4 address, source and dest TCP or UDP ports and more.
22. What are the numbers available for use on standard ACLs?
1 - 99
23. What are the numbers available for use on extended ACLs?
1300 - 1999
24. List the rules to follow for named ACLs.
a.
Assign a name to identify the purpose of the ACL
b.
Names contain alphanumeric characters.
c.
Names cannot contain spaces or punctuation
d.
It is suggested that the name be written in capitals
e.
Entries can be added or deleted within the ACL
25. Explain where and why extended ACLs should be located on the network?
Extended ACLs should be located as close as possible to the source of the traffic to be filtered. This way, undesirable
traffic is denied close to the source network without crossing the network infrastructure.
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
7
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
26. Explain where and why standard ACLs should be located on the network?
Standard ACLs should be located as close to the destination as possible
27. List the factors influencing ACL Placement.
a. Extent of organizational control
b. Bandwidth of the networks involved
c. Ease of configuration
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
8
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
28. Answer the following questions based on the graphic below.
a. Which router and interface is the best location to place a standard ACL to block PC1 from reaching
PC4?
Router __________
Interface _______________
b. Which router and interface is the best location to place a extended ACL to block PC1 from reaching
PC4?
Router __________
Interface _______________
c. Which router and interface is the best location to place a standard ACL to block the 192.168.31.0
network from reaching 192.168.11.0 network?
Router __________
Interface _______________
d. Which router and interface is the best location to place a extended ACL to block the 192.168.31.0
network from reaching 192.168.11.0 network?
Router __________
Interface _______________
CCNAv7: Enterprise Networking, Security, and Automation
Module 4
9
Emily Corcoran & Robb Jones
Frederick County Career & Tech Center, MD, USA
0
