Access list Questions
Here you will find answers to Access list Questions
What is the purpose of an explicit “deny any” statement at the end of an ACL?
A. none, since it is implicit
B. to enable Cisco IOS IPS to work properly; however, it is the deny all traffic entry that is actually required
C. to enable Cisco IOS Firewall to work properly; however, it is the deny all traffic entry that is actually required
D. to allow the log option to be used to log any matches
E. to prevent sync flood attacks
F. to prevent half-opened TCP connections
As we know, there is always a “deny all” line at the end of each access-list to drop all other traffic that doesn’t match any “permit” lines. You can enter your own explicit deny with the “log” keyword to see what are actually blocked , like this:
Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255
Router(config)# access-list 1 deny any log
Note: The log keyword can be used to provide additional detail about source and destinations for a given protocol. Although this keyword provides valuable insight into the details of ACL hits, excessive hits to an ACL entry that uses the log keyword increase CPU utilization. The performance impact associated with logging varies by platform. Also, using the log keyword disables Cisco Express Forwarding (CEF) switching for packets that match the access-list statement. Those packets are fast switched instead.
A request arrived on your MPLS-vpn-bgp group. Due to a security breach, your customer is experiencing DoS attacks coming from specific subnets (18.104.22.168/24, 22.214.171.124/24). You have checked all MPLS- EBGP routes being advertised to BHK from other VPN sites and found four subnets listed:
126.96.36.199/24, 188.8.131.52/24, 184.108.40.206/24, 220.127.116.11/24. You immediately apply an outbound ACL filter using the appropriate MPLS-EBGP tool:
access-list 1 deny 0.0.0.0 255.255.254.255
access-list 1 permit any
What happens when you apply this ACL on the MPLS-EBGP connection to BHK?
A. It blocks all routes.
B. It blocks the routes 18.104.22.168/24, 22.214.171.124/24 only.
C. It blocks the routes 126.96.36.199/24, 188.8.131.52/24 only.
D. It blocks the routes 184.108.40.206/24, 220.127.116.11/24 only.
E. Nothing happens, no routes are blocked.
Remember, for the wild card mask, 1′s are I DON’T CARE, and 0′s are I CARE.
In the access-list we put an 0.0.0.0 255.255.254.255 network; of course 255 means “1111 1111″. This means we don’t care about any of the bits in the first, second & 4th octets. In fact, the number 0 (in 0.0.0.0) is just smallest numbers we can throw there and it is easy to type but we can use any number, it wouldn’t matter, since I DON’T CARE about them except the third octet as the wild card mask is not all “255″.
Now let’s extract the 0 in the third octet in binary form (so easy, right?)
0 = 0000 0000
With the 254 in the wildcard mask, we only care about the last bit of the third octet because 254 is “1111 1110″. That means, if the third octet is in the form of xxxx xxx0 then it will match my access-list (x can be 0 or 1 because I DON’T CARE).
Now let’s write the third octet of 4 above subnets in binary form:
10 = 0000.1010
11 = 0000.1011
12 = 0000.1100
13 = 0000.1101
So, only 10 & 12 satisfy my access list -> I will only block the routes to 18.104.22.168/24, 22.214.171.124/24 -> B is correct.
Your company wants to install Cisco IOS Firewall to ensure network availability and the security of your company’s resources. Refer to the following descriptions about its configuration, which three are correct? (Select three)
A. An IP inspection rule can be applied in the inbound direction on a secured interfaces
B. An IP inspection rule can be applied in the outbound direction on an unsecured interfaces
C. An ACL that is applied in the outbound direction on an unsecured interface must be an extended ACL
D. An ACL that is applied in the inbound direction on an unsecured interface must be an extended ACL
Answer: A B D
What keywords do you need to the access-list to provide to the logging message like source address and source mac address?
The log-input option enables logging of the ingress interface and source MAC address in addition to the packet’s source and destination IP addresses and ports. Below is an example of the “log-input” option.
|*May 1 22:33:38.799: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 1 packet
*May 1 22:39:15.075: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 9 packets