Name Date Chapter 8 Reading Organizer After completion of this chapter, you should be able to: Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks. Configure and implement ACLs. Create and apply ACLs to control specific types of traffic. Log ACL activity and integrate ACL best practices. 1. What is Traffic Filtering? 2. Packet filtering can be simple or complex, denying or permitting traffic based on what network elements? 3. How does traffic filtering improve network performance? 4. What devices are most commonly used to provide traffic filtering? 5. The primary use of Access Control Lists is to identify the to or. 6. ACLs identify traffic for multiple uses such as: 1
7. What are some potential problems that can result from using ACLs? 8. There are three types of ACLs: 9. a. The ACL is the simplest of the three types. When creating a IP ACL, the ACLs filter based on the IP address of a packet. ACLs permit or deny based on the, such as. So, if a host device is denied by a ACL, all services from that host are denied. This type of ACL is useful for allowing all services from a specific user, or LAN, access through a router while denying other IP addresses access. ACLs are identified by the number assigned to them. For access lists permitting or denying IP traffic, the identification number can range from to and from to. b. ACLs filter not only on the source IP address but also on the IP address,, and numbers. ACLs are used more than Standard ACLs because they are more specific and provide greater control. The range of numbers for ACLs is from to and from to. c. ACLs (NACLs) are either Standard or Extended format that are referenced by a descriptive rather than a number. When configuring ACLs, the router IOS uses a subcommand mode. 2
10. What is always at the end of an ACL? What is the result of an ACL that does not have at least one permit statement? Explain: 11. After an ACL is created, what else must be done for it to become effective? 12. Explain how an ACL can be applied in either an inbound or outbound direction: 13. When a packet arrives at an interface, what parameters does a router check? 14. 3
15. 16. When creating an ACL, what two special parameters can be used in place of a wildcard mask? 17. To filter a single, specific host, use either the wildcard mask after the IP address or the prior to the IP address. 18. To filter all hosts, use the all 1s parameter by configuring a wildcard mask of. Another way to filter all hosts is to use the parameter. 19. Explain the purpose and practice of using a permit any statement as the last statement in an ACL: 4
20. 21. List the steps involved in planning the creation and placement of access control lists: 22. It is important to place standard ACLs as close to the as possible. Explain: 23. Explain when to use an extended ACL: 5
24. Place an Extended ACL close to the address. Explain why: 25. Place ACLs on routers in either the or Layer. Why? 26. Why is the inbound access control list more efficient for the router than an outbound access list? 27. List ACL processing and creation guidelines: 28. What are the two steps to configuring an access control list? 29. Why should you plan the ACL so that the more specific requirements appear before more general ones? 6
30. List and EXPLAIN ACL commands that evaluate the proper syntax, order of statements, and placement on interfaces: 31. Explain why it is often recommended to create ACLs in a text editor: Lab 8.3.3: Configuring and Verifying Standard ACLs 32. What are some ways to minimize statements and reduce the processing load of the router? Lab 8.3.4: Planning, Configuring and Verifying Extended ACLs Packet Tracer 8.3.5: Configuring and Verifying Standard Named ACLs Lab 8.3.5: Configuring and Verifying Extended Named ACLs 33. What is the reason for applying an ACL to a router s vty (telnet or ssh) ports? 7
34. What different command is used when applying the ACL to a VTY line instead of using the ip access-group command? 35. What guidelines should be followed when configuring access lists on VTY lines? Lab 8.3.6: Configuring and Verifying VTY Restrictions Packet Tracer 8.3.6: Planning, Configuring and Verifying Standard, Extended and Named ACLs 36. Extended ACLs filter on and IP addresses. It is often desirable to filter on even more specific packet details. OSI Layer 3, Layer 4 and provide this capability. 37. Some of the protocols available to use for filtering include: 38. If neither the port number nor the name is known for an application, what are some steps for locating that information? 39. Explain how ACLs deal with applications that have multiple port numbers, such as FTP or email traffic: 8
Packet Tracer 8.4.1: Configuring and Verifying Extended ACLs to Filter on Port Numbers 40. Explain the purpose of the ACL statement: access-list 101 permit tcp any any established 41. Define Stateful Packet Inspection: 42. Explain the purpose of the keywords echo-reply and unreachable in an ACL: 9
43. 10
44. How may implementing NAT and PAT create a problem when planning ACLs? Lab 8.4.3: Configuring an ACL with NAT 45. Administrators need to examine the ACL, one line at a time, and answer the following questions: 46. When evaluating an Extended ACL, it is important to remember these key points: 47. 11
48. When routing between VLANs in a network, it is sometimes necessary to control traffic from one VLAN to another using ACLs. What are the differences in the rules and guidelines for creation and application of ACLs on VLANs and on router subinterfaces as opposed to physical interfaces? Lab 8.4.5: Configuring and Verifying ACLs to filter Inter-VLAN Traffic Packet Tracer 8.4.5: Configuring and Verifying Extended ACLs with a DMZ 49. How does the information gained from the show access-list command differ from adding the log parameter to the end of an individual ACL statement? 50. Why should you use logging for a short time only to complete testing of the ACL? 51. ACL logging generates an informational message that contains: 52. To turn off logging, use: 53. To turn off all debugging, use: 54. To turn off specific debugging, such as ip packet, use: Lab 8.5.1: Configuring ACLs and Verifying with Console Logging 55. Why should you configure a router to send logging, or syslog messages, to an external server? 12