by KJax50

Bookmark and Share

Front Back
What do access control lists do?
they give engineers a way to identify different types of packets, or filter packets.
ACL can match packets using source/destination ip and port. T or F
What does QoS do?
It allows the router to give better service to certain packets, and not to others.

example: voice packets have a higher priority than normal packets
ACL logic an only apply to packets coming IN the router. T or F

-it applies to incoming and outgoing packets
Access Control List
ACL Number Ranges
Standard: 1 - 99 / 1300 - 1999

Extended - 100 - 199 / 2000 - 2699

-There are also NAMED ACLs

Standard ACL
Matching happens only by source IP
Extended ACL
Matching can happen by:

-Source & Dest IP
-Source & Dest port
Explain 'first-match' logic
It's when a packet matches one line in an ACL, the router does that line, but stops looking further in the ACL.
What happens if a packet does not match any items in the ACL?
It will be discarded.

-All IP ACLs have a 'deny all' statement implied at the end
How do you make sure you're using the correct wildcard mask?
Whatever subnet mask you choose, subtract it from to get the wildcard mask

example: -

How do you override the default 'explicit deny any' at the end of all ACLs?
use 'permit any' at the end of an ACL
What's a reason you'd want to configure a 'deny any' command even though it's at the end of an ACL by default?
The explicit deny does not log any counters in the show command. A configure 'deny any' does.
Setting up an ACL steps
1. Plan the location (router/interface) and direction (in or out) on that interface

2. Configure one or more access-list global configuration commands to create the ACL

3. Enable the ACL on the chosen router interface, in the correct direction
   -ip access-group 'number' in|out
Standard ACLs should be placed near to the destination of the packets so they do not get discarded unintentionally. T or F.
this command enables access list on the interface
ip access-group 'number' in|out
this command is useful as it helps you notate on what an access list does.
access-list 'access-list-number'' remark 'text'
Which show commands are ideal for troubleshooting ACL issues?
-show ip interface - includes access lists enabled on an interface.

-show access-lists - shows details about access lists

-show ip access-lists - shows ip access lists
this keyword can issue log messages with occcasional statistics about matches of a particular line of an ACL.
If you wanted to find out the ip range of an access-list, how would you do it?
Take the starting ip address, then add the wildcard mask.

example +
x of y cards