Takeaway: Access control lists (ACLs) are a fundamental part of working with routers. How much do you know about managing these vital gatekeepers? David Davis lists 10 things every administrator should know about working with Cisco IOS ACLs.
People who read this, also read...
Playing with Cisco access lists
Use advanced parameters on your Cisco IOS ACLs
Traffic filtering with Cisco access lists: Why, how, and what to consider
Learn additional uses for Cisco IOS access control lists
Protect your network with the Cisco IOS Firewall
If you work with Cisco routers, you're more than likely familiar with Cisco IOS access control lists (ACLs). But that doesn't mean you know all there is to know about these important gatekeepers. Access lists are an integral part of working with routers, and they're vital to security.
Because ACLs are a fundamental part of router administration, I want to address 10 things you should know about working with these lists. If you're new to working with Cisco routers, this list offers a good foundation to get you started. But even if you've worked with Cisco routers for a while, it never hurts to review the basics—you might even learn something new.
So, without any further ado, here are 10 things you need to know about Cisco IOS access lists, beginning with the basic definition of an ACL.
What is an access control list?
In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic, an administrator can specify various events that can happen to that traffic.
What's the most common type of ACL?
IP ACLs are the most popular type of access lists because IP is the most common type of traffic. There are two types of IP ACLs: standard and extended. Standard IP ACLs can only control traffic based on the SOURCE IP address. Extended IP ACLs are far more powerful; they can identify traffic based on source IP, source port, destination IP, and destination port.
What are the most common numbers for IP ACLs?
The most common numbers used for IP ACLs are 1 to 99 for standard lists and 100 to 199 for extended lists. However, many other ranges are also possible.
Standard IP ACLs: 1 to 99 and 1300 to 1999
Extended IP ACLs: 100 to 199 and 2000 to 2699
How can you filter traffic using ACLs?
You can use ACLs to filter traffic according to the "three P's"—per protocol, per interface, and per direction. You can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).
How can an ACL help protect
my network from viruses?
You can use an ACL as a packet sniffer to list packets that meet a certain requirement. For example, if there's a virus on your network that's sending out traffic over IRC port 194, you could create an extended ACL (such as number 101) to identify that traffic. You could then use the debug ip packet 101 detail command on your Internet-facing router to list all of the source IP addresses that are sending packets on port 194.
What's the order of operations in an ACL?
Routers process ACLs from top to bottom. When the router evaluates traffic against the list, it starts at the beginning of the list and moves down, either permitting or denying traffic as it goes. When it has worked its way through the list, the processing stops.
That means whichever rule comes first takes precedence. If the first part of the ACL denies traffic, but a lower part of the ACL allows it, the router will still deny the traffic. Let's look at an example:
Access-list 1 permit any
Access-list 1 deny host 10.1.1.1
Access-list 1 deny anyWhat does this ACL permit? The first line permits anything. Therefore, all traffic meets this requirement, so the router will permit all traffic, and processing will then stop.
What about traffic you don't specifically address in an ACL?
At the end of an ACL is an implicit deny statement. Whether you see the statement or not, the router denies all traffic that doesn't meet a condition in the ACL. Here's an example:
Access-list 1 deny host 10.1.1.1
Access-list 1 deny 192.168.1.0 0.0.0.255What traffic does this ACL permit? None: The router denies all traffic because of the implicit deny statement. In other words, the ACL really looks like this:
Access-list 1 deny host 10.1.1.1
Access-list 1 deny 192.168.1.0 0.0.0.255
Access-list 1 deny ANYCan I name an ACL?
Numbers—who needs numbers? You can also name your ACLs so you can more easily identify their purpose. You can name both standard and extended ACLs. Here's an example of using a named ACL:
router(config)# ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging
resequence Resequence Access List
standard Standard Access List
router(config)# ip access-list extended test
router(config-ext-nacl)#
router(config-ext-nacl)# 10 deny ip any host 192.168.1.1
router(config-ext-nacl)# exit
router(config)# exit
router# show ip access-list
Extended IP access list test 10 deny ip any host 192.168.1.1What's a numbering sequence?
In the "old days," you couldn't edit an ACL—you could only copy it to a text editor (such as Notepad), remove it, edit it in notepad, and then re-create it. In fact, this is still a good way to edit some Cisco configurations.
However, this approach can also create a security risk. During the time you've removed the ACL to modify it, the router isn't controlling traffic as needed. But it's possible to edit a numbered ACL with commands. Here's an example:
router(config)# access-list 75 permit host 10.1.1.1
router(config)#^Z
router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)# ip access-list standard 75
router(config-std-nacl)# 20 permit any
router(config-std-nacl)# no 10 permit 10.1.1.1
router(config-std-nacl)#^Z
router# show ip access-lists 75
Standard IP access list 75 20 permit any
router#How else can I use an ACL?
ACLs aren't just for filtering traffic. You can also use them for a variety of operations. Let's look at some of their possible other uses:
To control debug output: You can use the debug list X command to control debug output. By using this command before another debug command, the command only applies to what you've defined in the list.
To control route access: You can use a routing distribute-list ACL to only permit or deny certain routes either into or out of your routing protocol.
As a BGP AS-path ACL: You can use regular expressions to permit or deny BGP routes.
For router management: You can use an ACL to control which workstation or network manages your router with an ACL and an access-class statement to your VTY lines.
For encryption: You can use ACLs to determine how to encrypt traffic. When encrypting traffic between two routers or a router and a firewall, you must tell the router what traffic to encrypt, what traffic to send unencrypted, and what traffic to drop.
To wrap up this review, I'll leave you with one last tip: Don't forget to use remark statements in your ACLs. They'll come in handy when you have to troubleshoot something later.
Cisco Certified Network Associate Exam,640-802 CCNA All Answers ~100/100. Daily update
Friday, December 19, 2008
Cisco Network Magic Pro 5.0.8282
Cisco has introduced a suite of network management software named Network Magic 5.0 . This tool will improve various network tasks like- connecting and sharing computers(content & printer), control computers on network while accessing Internet, connection repairing features, manage performance problem to provide optimize performance and many more. This tool run in the background and indicate/alert each time when new device connect to your network.
The Network Magic 5.0 suit provide the various functionality and provide capability to
* Connect and share content or a printer across a network
* Manage, monitor and control how computers on the network access the Internet
* Diagnose and repair connection and performance problems
* Optimize performance and reliability
* Track network history and usage through reporting capabilities
* Manage active connections and get status updates Control user
* Access and help secure the network from intruders
Features:
* Connect your devices together in minutes.
* Share Internet connections, printers and files.
* Protect your network with enhanced WPA security capabilities and status alerts.
* Repair your network and Internet connections to stay online and productive.
* Control access to the Internet and track online activity with remote desktop screenshots.
* And much more!
Download
CCNA 1 Final Exam 640 - 802
This Test is 85% Correct
1. A PC can not connect to any remote websites, ping its default gateway, or ping a printer that is functioning properly on the local network segment. Which action will verify that the TCP/IP stack is functioning correctly on this PC?
--> Use the ping 127.0.0.1 command at the command prompt.
2. Refer to the exhibit. Which set of devices contains only intermediary devices?
--> A, B, D, G
3. Refer to the exhibit. When computer A sends a frame to computer D, what computers receive the frame?
--> only computer D
4. Which password is automatically encrypted when it is created?
--> enable secret
5. Which three statements characterize the transport layer protocols? (Choose three.)
--> TCP and UDP port numbers are used by application layer protocols.
--> TCP uses windowing and sequencing to provide reliable transfer of data.
--> TCP is a connection-oriented protocol. UDP is a connectionless protocol.
6. Which type of media is immune to EMI and RFI? (Choose two.)
--> 100 Base-FX
--> 1000 Base LX
7. Refer to the exhibit. A technician is working on a network problem that requires verification of the router LAN interface. What address should be pinged from this host to confirm that the router interface is operational?
--> 192.168.254.1
8. Refer to the exhibit. The diagram represents the process of sending email between clients.
Select the list below that correctly identifies the component or protocol used at each numbered stage of the diagram.
--> 1.MUA 2.SMTP 3.MTA 4.SMTP 5.MTA 6.MDA 7.POP 8.MUA
9. Refer to the exhibit. What function does router RT_A need to provide to allow Internet access for hosts in this network?
--> address translation
10. Refer to the exhibit. The network containing router B is experiencing problems. A network associate has isolated the issue in this network to router B? What action can be preformed to correct the network issue?
--> issue the no shutdown command on interface FastEthernet 0/1
11. Which three IPv4 addresses represent a broadcast for a subnet? (Choose three.)
--> 172.16.4.63 /26
--> 172.16.4.191 /26
--> 172.16.4.95 /27
12. What are three characteristics of CSMA/CD? (Choose three.)
--> A device listens and waits until the media is not busy before transmitting.
--> All of the devices on a segment see data that passes on the network medium.
--> After detecting a collision, hosts can attempt to resume transmission after a random time delay has expired.
13. In a Cisco IOS device, where is the startup-configuration file stored?
--> NVRAM
14. A routing issue has occurred in you internetwork. Which of the following type of devices should be examined to isolate this error?
--> router
15. Which OSI layer protocol does IP rely on to determine whether packets have been lost and to request retransmission?
--> transport
16. Due to a security violation, the router passwords must be changed. What information can be learned from the following configuration entries? (Choose two.)
--> The entries specify four Telnet lines for remote access.
The entries set the console and Telnet password to "c13c0".
Telnet access will be denied because the Telnet configuration is incomplete.
--> Access will be permitted for Telnet using "c13c0" as the password.
17. Which prompt represents the appropriate mode used for the copy running-config startup-config command ?
--> Switch-6J#
18. Which combination of network id and subnet mask correctly identifies all IP addresses from 172.16.128.0 through 172.16.159.255?
--> 172.16.128.0 255.255.224.0
19. When must a router serial interface be configured with the clock rate command?
--> when the interface is functioning as a DCE device
20. When connectionless protocols are implemented at the lower layers of the OSI model, what are usually used to acknowledge the data receipt and request the retransmission of missing data?
--> upper-layer connection-oriented protocols
21. A technician is asked to secure the privileged EXEC mode of a switch by requiring a password. Which type of password would require this login and be considered the most
secure?
--> enable secret
22. Refer to the exhibit. What is required on host A for a network technician to create the initial configuration on RouterA?
--> a terminal emulation program
23. Refer to the exhibit. A network administrator remotely accesses the CLI of RouterB from PC1. Which two statements are true about the application layer protocol that is used to make this connection? (Choose two.)
-->The connection type is called a VTY session.
--> The application name is the same for the service, protocol, and client.
24. The Layer 4 header contains which type of information to aid in the delivery of data?
--> service port number
25. Refer to the exhibit. What two facts can be determined about the exhibited topology? (Choose two.)
--> A single broadcast domain is present
--> Five collision domains exist.
26. Refer to the exhibit. A network technician is trying to determine the correct IP address configuration for Host A. What is a valid configuration for Host A?
--> IP address: 192.168.100.20; Subnet Mask: 255.255.255.240; Default Gateway: 192.168.100.17
27. Refer to the exhibit. Cable 1 and cable 2 have the ends wired for specific physical layer requirements. The table lists each segment by number and the cable which has been installed by the network technician between the network components on that segment. From the data
given, which segments have the correct cable installed? (Choose three.)
--> segment1
--> segment3
--> segment4
28. What is true regarding network layer addressing? (Choose three.)
--> uses a flat structure
--> uniquely identifies each host
--> contains a network portion
29. Refer to the exhibit. A router, whose table is shown, receives a packet that is destined for 192.168.1.4. How will router treat the packet?
--> The packet will be forwarded to the destination host.
30. Refer to the exhibit. Which two statements describe the information that is represented in the header? (Choose two.)
--> The destination port indicates a Telnet session.
--> The return segment will contain a source port of 23.
31. Refer to the exhibit. What is the correct destination socket number for a web page request from Host A to the web server?
--> 198.133.219.25:80
http://www.cisco.com
32. During the encapsulation process, which identifiers are added at the transport layer?
--> two applications communicating the data
33. Refer to the exhibit. A student has wired each end of a CAT 5e cable as shown. What is the result? (Choose two.)
--> The cable is suitable for use as a Fast Ethernet crossover.
--> The cable is suitable for use between two 100 Mbps Auto-MDIX capable switches.
34. Refer to the exhibit. Assume all devices are using default configurations. How many subnets are required to address the topology that is shown?
--> 3
35. Refer to the exhibit. On the basis of the IP configuration that is shown, what is the reason that Host A and Host B are unable to communicate outside the local network?
--> The gateway address was assigned a broadcast address.
36. Refer to the exhibit. Each media link is labeled. What type of cable should be used to connect the different devices?
--> Connection 1 - straight-through cable , Connection 2 - crossover cable , Connection 3 - straight-through cable
37. Refer to the exhibit. What does the IP address 192.168.33.2 represent?
--> The host's primary domain name server.
38. Refer to the exhibit. What two facts can be determined from the information that is given? (Choose two.)
--> The destination port indicates that an HTTP session has been initiated.
--> The data listed is associated with the transport layer.
39. Which of the following are the address ranges of the private IP addresses? (Choose three.)
--> 10.0.0.0 to 10.255.255.255
--> 172.16.0.0 to 172.31.255.255
--> 192.168.0.0 to 192.168.255.255
40. Which two functions of the OSI model occur at layer two? (Choose two.)
--> physical addressing
--> media access control
41. Which range of port numbers are reserved for services that are commonly used by applications that run on servers?
--> 0 to 1023
42. As network administrator, what is the subnet mask that allows 510 hosts given the IP address 172.30.0.0?
--> 255.255.254.0
43. Refer to the exhibit. The tracert command is initiated from PC1 to the destination PC4. Which device will send a response to the initial packet from PC1?
--> Athens
44. Refer to the exhibit. Host A is transmitting data to host B. What addresses will host A use to for the destination IP and MAC addresses in this communication?
--> Destination MAC: EEEE:EEEE:EEEE Destination IP: 172.22.0.75
45. Refer to the exhibit. Which logical topology best describes the exhibited network?
--> star
46. Examine the graphic with current configurations. Host A in the Clerical offices failed and was replaced. Although a ping to 127.0.0.1 was successful, the replacement computer can not access the company network. What is the likely cause of the problem?
--> subnet mask incorrectly entered
47. Refer to the exhibit. With the router running NAT, what IP addresses can be applied to the computer to allow access to the Internet? (Choose three.)
--> 192.168.18.49
--> 192.168.18.52
-->192.168.18.59
48. Refer to the exhibit. What three statements are true about the IP configuration that is shown? (Choose three.)
--> The address that is assigned to the computer represents private addressing.
--> The computer is unable to communicate outside of the local network.
--> The prefix of the computer address is /27.
49. Refer to the exhibit. Host A attempts to establish a TCP/IP session with host C. During this attempt, a frame was captured with the source MAC address 0050.7320.D632 and the destination MAC address 0030.8517.44C4. The packet inside the captured frame has an IP source address 192.168.7.5, and the destination IP address is 192.168.219.24. At which point in the network was this packet captured?
--> leaving Dallas
50. Which of the following OSI layers offers reliable, connection-oriented data communication services?
--> transport
1. A PC can not connect to any remote websites, ping its default gateway, or ping a printer that is functioning properly on the local network segment. Which action will verify that the TCP/IP stack is functioning correctly on this PC?
--> Use the ping 127.0.0.1 command at the command prompt.
2. Refer to the exhibit. Which set of devices contains only intermediary devices?
--> A, B, D, G
3. Refer to the exhibit. When computer A sends a frame to computer D, what computers receive the frame?
--> only computer D
4. Which password is automatically encrypted when it is created?
--> enable secret
5. Which three statements characterize the transport layer protocols? (Choose three.)
--> TCP and UDP port numbers are used by application layer protocols.
--> TCP uses windowing and sequencing to provide reliable transfer of data.
--> TCP is a connection-oriented protocol. UDP is a connectionless protocol.
6. Which type of media is immune to EMI and RFI? (Choose two.)
--> 100 Base-FX
--> 1000 Base LX
7. Refer to the exhibit. A technician is working on a network problem that requires verification of the router LAN interface. What address should be pinged from this host to confirm that the router interface is operational?
--> 192.168.254.1
8. Refer to the exhibit. The diagram represents the process of sending email between clients.
Select the list below that correctly identifies the component or protocol used at each numbered stage of the diagram.
--> 1.MUA 2.SMTP 3.MTA 4.SMTP 5.MTA 6.MDA 7.POP 8.MUA
9. Refer to the exhibit. What function does router RT_A need to provide to allow Internet access for hosts in this network?
--> address translation
10. Refer to the exhibit. The network containing router B is experiencing problems. A network associate has isolated the issue in this network to router B? What action can be preformed to correct the network issue?
--> issue the no shutdown command on interface FastEthernet 0/1
11. Which three IPv4 addresses represent a broadcast for a subnet? (Choose three.)
--> 172.16.4.63 /26
--> 172.16.4.191 /26
--> 172.16.4.95 /27
12. What are three characteristics of CSMA/CD? (Choose three.)
--> A device listens and waits until the media is not busy before transmitting.
--> All of the devices on a segment see data that passes on the network medium.
--> After detecting a collision, hosts can attempt to resume transmission after a random time delay has expired.
13. In a Cisco IOS device, where is the startup-configuration file stored?
--> NVRAM
14. A routing issue has occurred in you internetwork. Which of the following type of devices should be examined to isolate this error?
--> router
15. Which OSI layer protocol does IP rely on to determine whether packets have been lost and to request retransmission?
--> transport
16. Due to a security violation, the router passwords must be changed. What information can be learned from the following configuration entries? (Choose two.)
--> The entries specify four Telnet lines for remote access.
The entries set the console and Telnet password to "c13c0".
Telnet access will be denied because the Telnet configuration is incomplete.
--> Access will be permitted for Telnet using "c13c0" as the password.
17. Which prompt represents the appropriate mode used for the copy running-config startup-config command ?
--> Switch-6J#
18. Which combination of network id and subnet mask correctly identifies all IP addresses from 172.16.128.0 through 172.16.159.255?
--> 172.16.128.0 255.255.224.0
19. When must a router serial interface be configured with the clock rate command?
--> when the interface is functioning as a DCE device
20. When connectionless protocols are implemented at the lower layers of the OSI model, what are usually used to acknowledge the data receipt and request the retransmission of missing data?
--> upper-layer connection-oriented protocols
21. A technician is asked to secure the privileged EXEC mode of a switch by requiring a password. Which type of password would require this login and be considered the most
secure?
--> enable secret
22. Refer to the exhibit. What is required on host A for a network technician to create the initial configuration on RouterA?
--> a terminal emulation program
23. Refer to the exhibit. A network administrator remotely accesses the CLI of RouterB from PC1. Which two statements are true about the application layer protocol that is used to make this connection? (Choose two.)
-->The connection type is called a VTY session.
--> The application name is the same for the service, protocol, and client.
24. The Layer 4 header contains which type of information to aid in the delivery of data?
--> service port number
25. Refer to the exhibit. What two facts can be determined about the exhibited topology? (Choose two.)
--> A single broadcast domain is present
--> Five collision domains exist.
26. Refer to the exhibit. A network technician is trying to determine the correct IP address configuration for Host A. What is a valid configuration for Host A?
--> IP address: 192.168.100.20; Subnet Mask: 255.255.255.240; Default Gateway: 192.168.100.17
27. Refer to the exhibit. Cable 1 and cable 2 have the ends wired for specific physical layer requirements. The table lists each segment by number and the cable which has been installed by the network technician between the network components on that segment. From the data
given, which segments have the correct cable installed? (Choose three.)
--> segment1
--> segment3
--> segment4
28. What is true regarding network layer addressing? (Choose three.)
--> uses a flat structure
--> uniquely identifies each host
--> contains a network portion
29. Refer to the exhibit. A router, whose table is shown, receives a packet that is destined for 192.168.1.4. How will router treat the packet?
--> The packet will be forwarded to the destination host.
30. Refer to the exhibit. Which two statements describe the information that is represented in the header? (Choose two.)
--> The destination port indicates a Telnet session.
--> The return segment will contain a source port of 23.
31. Refer to the exhibit. What is the correct destination socket number for a web page request from Host A to the web server?
--> 198.133.219.25:80
http://www.cisco.com
32. During the encapsulation process, which identifiers are added at the transport layer?
--> two applications communicating the data
33. Refer to the exhibit. A student has wired each end of a CAT 5e cable as shown. What is the result? (Choose two.)
--> The cable is suitable for use as a Fast Ethernet crossover.
--> The cable is suitable for use between two 100 Mbps Auto-MDIX capable switches.
34. Refer to the exhibit. Assume all devices are using default configurations. How many subnets are required to address the topology that is shown?
--> 3
35. Refer to the exhibit. On the basis of the IP configuration that is shown, what is the reason that Host A and Host B are unable to communicate outside the local network?
--> The gateway address was assigned a broadcast address.
36. Refer to the exhibit. Each media link is labeled. What type of cable should be used to connect the different devices?
--> Connection 1 - straight-through cable , Connection 2 - crossover cable , Connection 3 - straight-through cable
37. Refer to the exhibit. What does the IP address 192.168.33.2 represent?
--> The host's primary domain name server.
38. Refer to the exhibit. What two facts can be determined from the information that is given? (Choose two.)
--> The destination port indicates that an HTTP session has been initiated.
--> The data listed is associated with the transport layer.
39. Which of the following are the address ranges of the private IP addresses? (Choose three.)
--> 10.0.0.0 to 10.255.255.255
--> 172.16.0.0 to 172.31.255.255
--> 192.168.0.0 to 192.168.255.255
40. Which two functions of the OSI model occur at layer two? (Choose two.)
--> physical addressing
--> media access control
41. Which range of port numbers are reserved for services that are commonly used by applications that run on servers?
--> 0 to 1023
42. As network administrator, what is the subnet mask that allows 510 hosts given the IP address 172.30.0.0?
--> 255.255.254.0
43. Refer to the exhibit. The tracert command is initiated from PC1 to the destination PC4. Which device will send a response to the initial packet from PC1?
--> Athens
44. Refer to the exhibit. Host A is transmitting data to host B. What addresses will host A use to for the destination IP and MAC addresses in this communication?
--> Destination MAC: EEEE:EEEE:EEEE Destination IP: 172.22.0.75
45. Refer to the exhibit. Which logical topology best describes the exhibited network?
--> star
46. Examine the graphic with current configurations. Host A in the Clerical offices failed and was replaced. Although a ping to 127.0.0.1 was successful, the replacement computer can not access the company network. What is the likely cause of the problem?
--> subnet mask incorrectly entered
47. Refer to the exhibit. With the router running NAT, what IP addresses can be applied to the computer to allow access to the Internet? (Choose three.)
--> 192.168.18.49
--> 192.168.18.52
-->192.168.18.59
48. Refer to the exhibit. What three statements are true about the IP configuration that is shown? (Choose three.)
--> The address that is assigned to the computer represents private addressing.
--> The computer is unable to communicate outside of the local network.
--> The prefix of the computer address is /27.
49. Refer to the exhibit. Host A attempts to establish a TCP/IP session with host C. During this attempt, a frame was captured with the source MAC address 0050.7320.D632 and the destination MAC address 0030.8517.44C4. The packet inside the captured frame has an IP source address 192.168.7.5, and the destination IP address is 192.168.219.24. At which point in the network was this packet captured?
--> leaving Dallas
50. Which of the following OSI layers offers reliable, connection-oriented data communication services?
--> transport
Subscribe to:
Posts (Atom)