Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
23 Cards in this Set
- Front
- Back
|
What are the six types of IP access lists that can be configured on a Cisco router?
|
The six types of IP access lists are standard, extended, named, dynamic, reflexive, and time-based.
|
|
|
What criteria do standard IP access lists use to filter packets?
|
Source Address
|
|
|
What criteria do extended IP access lists use to filter packets?
|
Source Address, Destination Address, protocols, and port numbers
|
|
|
What are dynamic access lists?
|
Dynamic access lists (lock-and-key) dynamically create access list entries on the router to allow a user that has authenticated to the router through Telnet to access resources that are blocked behind the router.
Dynamic access lists depend on the user authenticating to the router and on extended access lists. Considered lock-and-key, the configuration starts with an extended ACL that blocks traffic through the router. A user that wants to traverse through the router is blocked by the extended ACL until he authenticates to the router through Telnet with a username and password. After the user is authenticated, the Telnet connection is dropped, and a single-entry dynamic ACL entry is added to the extended ACL to permit the user to traverse through the router. |
|
|
What are reflective access lists?
|
Reflective access lists allow IP packets to be filtered based on upper-layer session information. The allow outbound traffic and limit inbound traffic in response to sessions that originate from a network inside the router.
Reflective ACLs contain only temporary entries that are created when a new IP session begins and are removed when the session ends. Reflective ACLs are not applied directly to an interface, but are "nested" within an extended named IP ACL that is applied to an interface. |
|
|
What are time-based access lists?
|
Time-based ACLs are similar to extended access lists, except they control access based on time.
|
|
|
How many access lists can be applied to an interface on a Cisco router?
|
Only one access list per protocol, per direction, per interface can be applied on a Cisco router.
|
|
|
What are the number ranges that define standard and extended IP access lists?
|
The number ranges that define standard and extended IP access lists are as follows:
- Standard IP access lists: 1 to 99 and 1300 to 1999 (expanded range) - Extended IP access lists: 100 to 199 and 2000 to 2699 (expanded range) |
|
|
When implementing access lists what are wildcard masks?
|
Wildcard masks define the subset of the 32 bits in the IP address that must be matched.
Wildcards are used with access lists to specify a host, network, or part of a network. In wildcard masks, when 0s are present, the octet address must match. Mask bits with a binary value of 1 are wildcards. For example, if you have an IP address of 172.16.0.0 with a wildcard mask of 0.0.255.255, the first two portions of the IP address must match 172.16, but the last two octets can be in the range of 1 to 255. |
|
|
What is the IOS command syntax that creates a standard IP access list?
|
access-list access-list-number {permit | deny} source-address [wildcard-mask]
|
|
|
After you create a standard or extended IP access list, how do you apply it to an interface on a Cisco router?
|
Use the ip access-group interface command, as follows:
ip access-group access-list-number {in | out} |
|
|
What two things must you do to activate an access list?
|
1. Create an access list.
2. Apply the access list as part of a group on an interface. |
|
|
Create a standard access list that permits the following networks:
192.168.200.0 192.168.216.0 192.168.232.0 192.168.248.0 |
access-list 10 permit 192.168.200.0 0.0.0.255
access-list 10 permit 192.168.216.0 0.0.0.255 access-list 10 permit 192.168.232.0 0.0.0.255 access-list 10 permit 192.168.248.0 0.0.0.255 A second way to do this is to create a single entry with wildcard masks, as follows: access-list 10 permit 192.168.200.0 0.0.48.255 |
|
|
What is the Cisco IOS command syntax that creates an extended access list?
|
access-list access-list-number {permit | deny} protocol source-address
source-wildcard [operator port] destination-address destination-wildcard [operator port] |
|
|
Create an extended access list that denies web traffic to network 192.168.10.0.
|
access-list 101 deny tcp any 192.168.10.0 0.0.0.255 eq www
access-list 101 permit ip any any |
|
|
Create a named access list that blocks pings from networks 172.16.0.0/22 to host 192.168.0.101.
|
ip access-list extended block-ping
deny icmp 172.16.0.0 0.0.3.255 host 192.168.0.101 echo |
|
|
What does the following access list do?
access-list 110 deny ip host 172.16.0.2 any access-list 110 permit ip any any |
The access list denies any traffic from the host 172.16.0.2 and permits all other traffic.
|
|
|
Create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router.
|
Create an access list that permits only vty access from network 192.168.10.0 255.255.255.0 to connect to the Cisco router.
|
|
|
Create an extended ACL using entry sequence numbers that permits HTTP and FTP traffic from network 192.168.1.0 255.255.255.0 to network 172.16.0.0 255.255.0.0.
|
1 permit tcp 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq http
10 permit tcp 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 eq ftp |
|
|
How do you create a dynamic access list on a Cisco router?
|
Step 1. Create a user authentication method on the router. This can either be local or remote using an authentication, authorization, and accounting (AAA) or RADIUS server.
Step 2. Define an extended ACL to permit vty access but block all other traffic. Step 3. Create a dynamic ACL that applies to the extended ACL you created after it is authenticated. |
|
|
What IOS command can you use to see whether an IP access list is applied to an interface?
|
show ip interface interface-type interface-number
|
|
|
How can you display all access lists on a Cisco router?
|
RouterA#show access-list
|
|
|
As a network administrator, you want to block all Telnet traffic originating from your router's Fast Ethernet interface 0/0 that is connected to network 192.168.1.0/24 and permit all other IP traffic. You create the following access list and apply it to Fast Ethernet interface 0/0:
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 23 After you apply the access list, hosts connected to the router's Fast Ethernet interface cannot communicate with remote networks. Why? |
Hosts attached to network 192.168.1.0/24 cannot communicate with remote networks because the access list is denying all IP traffic. At the end of each access list is a deny all statement. Thus access list 101 is not only denying Telnet traffic but is also denying all IP traffic as well. To resolve the problem, the access list needs to be configured as follows:
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 23 access-list 101 permit ip any any |
