Top List List

Which of the following options are used in standard access list?

CCNA 200-120 Questions: Security

You have already completed the quiz before. Hence you can not start it again.

Quiz is loading...

You must sign in or sign up to start the quiz.

You have to finish following quiz, to start this quiz:

Results

0 of 9 questions answered correctly

Your time:

Time has elapsed

You have reached 0 of 0 points, [0]

Average score
Your score

Standard Access-List

Prerequisite – Access-lists [ACL]
Access-list [ACL] is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.

Standard Access-list –
These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, HTTPS, etc. By using numbers 1-99 or 1300-1999, the router will understand it as a standard ACL and the specified address as the source IP address.

Features –

Standard Access-list is generally applied close to destination [but not always].
In a standard access list, the whole network or sub-network is denied.
Standard access-list uses the range 1-99 and extended range 1300-1999.
Standard access-list is implemented using source IP address only.
If numbered with standard Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.
If named with standard Access-list is used then you have the flexibility to delete a rule from the access list.

Note – Standard Access-list are less used as compared to extended access-list as the entire IP protocol suite will be allowed or denied for the traffic as it can’t distinguish between the different IP protocol traffic.

Configuration –

Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.40.0/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, want to deny connection from the sales department to the finance department and allow others to reach that network.

Now, first configuring numbered standard access – list for denying any IP connection from sales to finance department.

R1# config terminal R1[config]# access-list 10 deny 172.16.40.0 0.0.0.255

Here, like extended access-list, you cannot specify the particular IP traffic to be permitted or denied. Also, note that wildcard mask has been used [0.0.0.255 which means Subnet mask 255.255.255.0]. 10 is used from the number standard access-list range.

R1[config]# access-list 110 permit ip any any

Now, as you already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of the access list then the traffic will be dropped.
By specifying any means that source having any IP address traffic will reach the finance department except the traffic which it matches the above rules that you have made.

Now, you have to apply the access list on the interface of the router:

R1[config]# int fa0/1 R1[config-if]# ip access-group 10 out

As you remember that the standard access-list is generally applied to the destination and here also if you apply access-list close to the destination, it will satisfy our need, therefore, outbound to interface fa0/1 has been applied.

Named standard Access-list example –

Now, considering the same topology, you will make a named standard access list.

R1[config]# ip access-list standard blockacl

By using this command you have made an access-list named blockacl.

R1[config-std-nacl]# deny 172.16.40.0 0.0.0.255 R1[config-std-nacl]# permit any

And then the same configuration you have done in numbered access-list.

R1[config]# int fa0/1 R1[config-if]# ip access-group blockacl out

Standard access-list for Telnet example –
As you know, you cannot specify particular IP traffic to be denied in standard access-list but telnet connection can be permitted or denied using standard access-list by applying access-list on line vty lines.

Here, in the given figure, you want to deny telnet to the Finance department from any network. Configuring for the same:

R1[config]# access-list 10 deny any R1[config]# line vty 0 4 R1[config-line]# access-class 10 out

Article Tags :

Computer Networks

Practice Tags :

Computer Networks

Read Full Article

On which options are standard access lists based?

12/22/2016 – by 1

On which options are standard access lists based?
A. destination address and wildcard mask
B. destination address and subnet mask
C. source address and subnet mask
D. source address and wildcard mask

SHOW ANSWERS

Answer: D
Explanation:
Standard ACL’s only examine the source IP address/mask to determine if a match is made.
Extended ACL’s examine the source and destination address, as well as port information.

Traffic Filtering in the Cisco Internetwork Operating System

Eric Knipp, ... Edgar DanielyanTechnical Editor, in Managing Cisco Network Security [Second Edition], 2002

Extended IP Access Lists

Although there are times when we only need to filter traffic based on the source address, more often than not we will need to match traffic with a higher level of detail. An option for more precise traffic-filtering control would be an extended IP access list. Here, both the source and destination address are checked. In addition, you also have the ability to specify the protocol and optional TCP or UDP port number to filter more precisely. In the following example, any field represented by {} is mandatory for the access list, while any field represented by [] is optional. The format of an extended IP access list is:

access-list access-list-number {permit | deny} protocol source

source-wildcard [operator source-port] destination destination-wildcard

[operator destination-port] [precedence precedence-number] [tos tos]

[established] [log | log-input]

Bold items represent keywords that are part of the access list syntax. Table4.4 lists the configuration for a standard IP access list.

Table4.4. Extended IP Access List Configuration

CommandDescription

Access-list list number	Defines the number of the access list. The extended access list numbers range from 100–199.
Permit	If conditions are met, traffic will be allowed.
deny	If conditions are met, traffic will be denied.
Protocol	Defines the Internet protocol for filtering. Available options here are keywords such as TCP or UDP, or the number of the protocol as seen in the IP header.
source-address	Identifies the host or network from which the packet is being sent. The source can be specified by an IP address or by using the keyword any.
source wildcard-mask	This defines the number of wildcard bits assigned to the source address. The source wildcard-mask can be specified by an IP address or by using the keyword any.
Operator source-port	Defines the name or number of a source TCP or UDP port. A list of operators is shown next.
Destination-address	Identifies the host or network to which the packet is being sent. The destination can be specified by an IP address or by using the keyword any.
Destination wildcard-mask	This defines the number of wildcard bits assigned to the destination address. The destination wildcard-mask can be specified by an IP address or by using the keyword any.
Operator destination-port	Defines the name or number of a destination TCP or UDP port. A list of operators is shown next.
precedence precedence-number	Used for filtering by the precedence level name or number [0 thru 7].
tos tos-number	Used for filtering by the Type of Service level specified by a name or number [0 thru 15].
established	Allows established TCP sessions through the list.
log \| log-input	Log the event when a packet matches the access list statement. Log-input shows the same information as the log keyword, except it also adds the interface name the packet was received on.

In the following access list, we get very specific about what host we want to access a particular network or host on a network. In the first three lines, we are permitting or allowing packets from individual hosts on subnet 172.16.130.0 to any host on network 10.0.0.0. In line 4, we are denying packets with the source address that belongs to subnet 172.16.130.0 to the destination of host 192.168.10.118. Line 5 tells us that we are permitting all IP packets with no concern of a source or destination address. The implicit deny all at the end of the list will never be matched against a packet because the previous permit statement will match all packets. In Figure4.3, we would apply this access list on the serial 0 interface in the outbound direction as follows:

Figure4.3. An Example Network

Router[conflg]# interface serial 0

Router[config-if]# ip access-group 141 out

An example of an extended access list is as follows:

access-list 141 permit icmp host 172.16.130.88 10.0.0.0 0.255.255.255

access-list 141 permit tcp host 172.16.130.89 eq 734 10.0.0.0 0.

255.255.255 range 10000 10010

access-list 141 permit udp host 172.16.130.90 10.0.0.0 0.255.255.255

eq tftp

access-list 141 deny ip 172.16.130.0 0.0.0.255 host 192.168.10.118

access-list 141 permit ip any any

Table4.5 describes the extended access list commands.

Table4.5. A Description of Access List Commands

CommandDescription

access-list 141 permit icmp host 172.16.130.88 10.0.0.0 0.255.255.255	Allows host 172.16.130.88 to send ICMP messages to any host on network 10.0.0.0.
access-list 141 permit tcp host 172.16.130.89 eq 734 10.0.0.0 0.255.255.255 range 10000 10010	Allows host 172.16.130.89 to initiate TCP sessions from port 734 to any port between 10000 and 10010 on any host on network 10.0.0.0.
access-list 141 permit udp host 172.16.130.90 10.0.0.0 0.255.255.255 eq tftp	Allows host 172.16.130.90 to send files via TFTP [UDP port 69] to any host on network 10.0.0.0.
access-list 141 deny ip 172.16.130.0 0.0.0.255 host 192.168.10.118	Denies any host on network 172.16.130.0 to host 192.168.10.118. Since we configured some permit statements from hosts within these previous two subnets, this entry will deny everything between these two networks that isn't explicitly permitted in the earlier listing.
access-list 141 permit ip any any	Allows all hosts from any network to any network, if it has not matched one of the preceding lists. Take a good look at the order of these commands to get a feel for the importance of the list order. Remember this is processed in a top-down manner, as shown in Figure 4.2.

Just as in our standard access list, the extended access list will require a hyphen between the words access and list. Next is the list number. Since we are referencing an extended IP access list, the numbers would range from 100 to 199. The access list number serves the same dual purpose here as we looked at earlier with the standard access list. The router must have a way to distinguish between access lists. The number performs this purpose along with tying the lines of an access list together and designates which access list the filter is part of The number also tells the router the type of access list.

Desinging & Planning…

Placement of Access Lists

Often you have a few options about how to apply your access lists and stili achieve the same affect on the traffic flowing through the router, in the case of the previous example, access list 141 was applied outbound on the serial 0 interface. Because access list 141 was designed to only filter traffic originating from the 172.16.130.0 network, and not traffic from 172.17.0.0, this list could have been applied in the inbound direction on Ethernet 0. Both approaches will have the same affect on the traffic flowing through the router.

There is a minor difference between these two approaches, though. When the ACL is applied outbound on the Serial0 interface, the traffic enters the Ethernet0 interface and is processed against the routing table. The packet is then passed to the outbound interface, where it is checked against any outbound ACLs. If the outbound interface is Serial 0, it checks packets against access list 141 and will permit or deny the traffic based on the rules defined in that list.

When the ACL is applied inbound on the Ethernet0 interface, the traffic is permitted or denied before it is processed against the routing table. On a router under heavy traffic loads, this could make a considerable difference in the delay that is introduced because the router does not have to process packets that will be dropped by the outbound interface.

Although inbound filtering has the advantage with respect to route processing, that does not necessarily make it the better way to apply access lists. Under different circumstances, you may want to prevent access to an external subnet from both Ethernet interfaces. In this case, it may be easier to apply the access lists in the outbound direction of Serial0 because packets from both Ethernet interfaces will have to pass through Serial0 to get to the external subnet. In other words, you are applying the access list to the bottleneck in traffic. Otherwise, you will have to keep two separate access lists, one specific for Ethernet0 and the other specific for Ethernet1. If the router is under light traffic loads, it may be easier to maintain a single access list.

There is disagreement among network and security professionals about which approach is better, but neither approach should be considered better than the other in all cases. It is up to you to decide which is best for your situation.

Keywords permit or deny

A keyword permit or deny specifies to the router the action to be performed. For example, the keyword permit would allow the packet to exit or enter the interface, depending on whether you specify the filtering to be performed in or out. Again, this option provides the same function as in our standard access list. The last line of our extended access list example could have read as follows:

access-list 141 permit ip any any

Protocol

You have the option of filtering several different protocols using the extended access list. The protocol field in the IP header is an 8-bit number that defines what protocol is used inside the IP packet. TCP and UDP are only two of the possible protocols that can be filtered on, although they are most common. Other protocols, such as ICMP and EIGRP, have their own protocol numbers because they are not encapsulated inside TCP or UDP. If we use a question mark when defining an access list, we can see the protocol numbers that have been defined by name inside the router.

Router [config]#access-list 191 permit?

An IP protocol number

ahp Authentication Header Protocol

eigrp Cisco's EIGRP routing protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

igrp Cisco's IGRP routing protocol

ip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

ospf OSPF routing protocol

pcp Payload Compression Protocol

pim Protocol Independent Multicast

tcp Transmission Control Protocol

udp User Datagram Protocol

Protocols not on the preceding list may also be filtered with extended access lists, but they must be referenced by their protocol number. A full list of assigned IP protocol numbers can be found at www.iana.org/assignments/protocol-numbers.

It is important to remember that the IP keyword in the protocol field matches all protocol numbers.You must use a systematic approach here when designing your access list. For example, if your first line in the access list permits IP for a specific address, and the second line denies UDP for the same address, the second statement would have no effect. The first line would permit IP, including all the above layers. An option here may be to reverse the order of the statements. With the statements reversed, UDP would be denied from that address and all other protocols would be permitted.

Source Address and Wildcard-mask

The source address and source wildcard-mask perform the same function here as in a standard IP access list. So, in the preceding example we could have used the wildcard mask instead of the host and any keywords. The access list would then look as follows:

access-list 141 permit ip 172.16.130.88 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.89 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.90 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.0 0.0.0.255 192.168.10.118 0.0.0.0

access-list 141 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

In the first three lines, we are permitting or allowing packets from individual hosts on subnet 172.16.130.0 to any host on network 10.0.0.0. In line 4, we are permitting packets with the source address that belongs to subnet 172.16.130.0 to the destination of host 192.168.10.118. Line 5 tells us that we are permitting all packets regardless of the source or destination address. Remember that standard IP access lists have a default mask of 0.0.0.0. This does not apply to extended access lists so we must specify one.

Destination Address and Wildcard-mask

The destination address and wildcard-mask have the same effect and structure as the source address and wildcard-mask. So, here the keywords host and any are also available. You can utilize these keywords to specify any destination address as well as a specific destination without using the wildcard mask. Remember that extended access lists try a match on both source and destination. A common mistake here is trying to build an extended access list with the idea of only filtering the source address, and forgetting to specify the destination address.

Source and Destination Port Number

Many times, we don’t want to deny all access to a particular server. When you put a Web server out on the Internet, you want everyone to be able to access it on port 80 [WWW], but you don’t want to allow access to any other ports, because it gives hackers the opportunity to exploit other services you may not be aware of [although you should know of them in the first place]. Restricting access to this level of detail is another benefit of extended ACLs. We have the option of specifying a source and destination port number in the access list. Let’s look at a simple example:

Router[config]# interface Serial 0

Router[config-if]# ip access-group 111 in

Router[config]#access-list 111 permit tcp any host 172.17.11.19 eq 25

Router[config]#access-list 111 permit tcp any host 172.17.11.19 eq 23

These commands are explained in Table 4.6.

Table4.6. Router Commands

Router CommandsDescription

access-list 111 permit tcp any host 172.17.11.19 eq 25	Permits SMTP from anywhere to host 172.17.11.19.
access-list 111 permit tcp any host 172.17.11.19 eq 23	Permits Telnet from anywhere to host 172.17.11.19.
interface Serial 0	Enters interface submode.
ip access-group 111 in	Applies access list inbound on interface.

In line 1, we are permitting TCP packets from any source to the destination of host 172.22.11.19 if the destination port is 25 [SMTP]. In line 2, we are permitting TCP packets from any source to the destination of host 172.22.11.19 if the destination port is 23 [Telnet]. The implicit deny statement at the end of this access list will prevent all other traffic from making it into our network.

Let’s take a look at filtering with TCP and UDP. When using TCP, for example, the access list will examine the source and destination port numbers inside the TCP segment header. So, when using an extended access list, you have the capability to filter to and from a network address and also to and from a particular port number. You have several options when deciding which operator to use, such as:

■

eq equal to

■

neq not equal to

■

gt greater than

■

lt less than

■

range specifies an inclusive range or ports [Here, two port numbers are specified.]

View chapterPurchase book

Read full chapter

URL://www.sciencedirect.com/science/article/pii/B9781931836562500088

clear access-list ipv4

To clear IPv4 access list counters, use the clear access-list ipv4 command in EXEC mode.

clear access-list ipv4 access-list name [ sequence-number | hardware { ingress | egress}] [interface type interface-path-id] [ location node-id | sequence number ]

Syntax Description

access-list-name

Name of a particular IPv4 access list. The name cannot contain a spaces or quotation marks, but can include numbers.

sequence-number

[Optional] Specific sequence number with which counters are cleared for an access list. Range is 1 to 2147483644 .

hardware

Identifies the access list as an access group for an interface.

ingress

Specifies an inbound direction.

egress

Specifies an outbound direction.

interface

[Optional] Clears the interface statistics.

type

Interface type. For more information, use the question mark [?] online help function.

interface-path-id

Physical interface or virtual interface.

Note

Use the show interfaces command to see a list of all interfaces currently configured on the router.

For more information about the syntax for the router, use the question mark [?] online help function.

location node-id

[Optional] Clears hardware resource counters from the designated node. The node-id argument is entered in the rack/slot/module notation.

sequence number

[Optional] Clears counters for an access list with a specific sequence number. Range is 1 to 2147483644 .