Access Control List Interview Questions And Answers
What Is Acl?
Access Control List is a packet filtering technique that filters the IP packets based mostly on supply and vacation spot deal with. It is a algorithm and circumstances that let or deny IP packets to train management over community traffic.
What Are Different Types Of Acl?
There are two essential kinds of Access lists:-
- Standard Access List.
- Extended Access List.
Explain Standard Access List?
Standard Access List examines solely the supply IP deal with in an IP packet to allow or deny that packet. It can’t match different area within the IP packet. Standard Access List might be created utilizing the access-list numbers 1-99 or within the expanded vary of 1300-1999. Standard Access List have to be utilized near vacation spot. As we’re filtering based mostly solely on supply deal with, if we put the usual access-list near the supply host or community than nothing can be forwarded from supply.
- R1 (config) # access-list 10 deny host 192.168.1.1
- R1 (config) # int fa0/0
- R1 (config-if) # ip access-group 10 in
Explain Extended Access List?
Extended Access List filters the community traffic based mostly on the Source IP deal with, Destination IP deal with, Protocol Field within the Network layer, Port quantity area on the Transport layer. Extended Access List ranges from 100 to 199, In expanded vary 2000-2699. Extended Access List must be positioned as near supply as attainable. Since prolonged entry record filters the traffic based mostly on particular addresses (Source IP, Destination IP) and protocols we don’t need our traffic to traverse the complete community simply to be denied losing the bandwidth.
- R1 (config) # access-list 110 deny tcp any host 192.168.1.1 eq 23
- R1 (config) # int fa0/0
- R1 (config-if) # ip access-group 110 in
Explain Named Acl And Its Advantages Over Number Acl?
It is simply one other means of making Standard and Extended ACL. In Named ACL names are given to establish access-list.
It has following benefit over Number ACL – In Name ACL we can provide sequence quantity which implies we are able to insert a brand new assertion in center of ACL.
- R1 (config) # ip access-list prolonged CCNA
- R1 (config) # 15 allow tcp host 10.1.1.1 host 188.8.131.52 eq 23
- R1 (config) # exit
- This will insert above assertion at Line 15.
- R1 (config) # int fa0/0
- R1 (config-if) # ip access-group ccna in
What Is Wildcard Mask?
Wildcard masks is used with ACL to specify a person hosts, a community, or a spread of community. Whenever a zero is current, it signifies that octet within the deal with should match the corresponding reference precisely. Whenever a 255 is current, it signifies these octets want to not be evaluated.
Wildcard Mask is totally reverse to subnet masks.
Example:- For /24
Subnet Mask – 255.255.255.0
Wildcard Mask – 0.0.0.255
How To Permit Or Deny Specific Host In Acl?
1. Using a wildcard masks “0.0.0.0”
Example: – 192.168.1.1 0.0.0.Zero or
2. Using key phrase “Host”
Example: – Host 192.168.1.1
In Which Directions We Can Apply An Access List?
We can apply entry record in two instructions:-
- IN – ip access-group 10 in
- OUT – ip access-group 10 out
Difference Between Inbound Access-list And Outbound Access-list?
When an access-list is utilized to inbound packets on interface, these packets are first processed by means of ACL after which routed. Any packets which can be denied received’t be routed. When an access-list is utilized to outbound packets on interface, these packets are first routed to outbound interface and than processed by means of ACL.
Difference Between #sh Access-list Command And #sh Run Access-list Command?
- #sh access-list exhibits variety of Hit Counts.
- #sh run access-list doesn’t present variety of Hit Counts.
How Many Access Lists Can Be Applied To An Interface On A Cisco Router?
We can assign just one entry record per interface per protocol per course which signifies that when creating an IP entry lists, we are able to have just one inbound entry record and one outbound entry record per interface. Multiple entry lists are permitted per interface, however they have to be for a distinct protocol.
How Access Lists Are Processed?
Access lists are processed in sequential, logical order, evaluating packets from the highest down, one assertion at a time. As quickly as a match is made, the allow or deny possibility is utilized, and the packet shouldn’t be evaluated in opposition to any extra entry record statements. Because of this, the order of the statements inside any entry record is important. There is an implicit “deny” on the finish of every entry record which signifies that if a packet doesn’t match the situation on any of the traces within the entry record, the packet can be discarded.
What Is At The End Of Each Access List?
At the top of every entry record, there may be an implicit deny assertion denying any packet for which the match has not been discovered within the entry record.
What Is The Function Of Access-list?
Access-List goes to filter incoming in addition to outgoing traffic on the router interface.
What Is The Default Wildcard Mask For Access-list?
Default Wild Card Mask for Access-List is 0.0.0.0
How Many Access-lists Can Be Created On The Router?
- 1 per Interface
- 1 per Direction
- 1 per Protocol
What Are The Advantages Of Standard Acl?
- Simple Packet Filtering Purpose
- Limiting Access on VTY traces
- Route Filtering
- Route- MAPs
What Are The Advantages Of Extended Acl?
- Complex Packet Filtering Purpose
- Route Filtering
- TCP Intercept
- IOS Firewall
What Is The Difference Between Standard Acl And Extended Acl?
Standard ACL solely checks Source IP deal with, Extended ACL checks Source IP, Destination IP and Protocol additionally for filtering traffic.
Standard ACL might be created utilizing quantity (1-99, 1300-1399) and Extended ACL might be created utilizing quantity (100-199, 2000-2699).
Two means communication is blocked in Standard ACL, One means communication is stopped in Extended ACL.
Standard ACL applied close to to vacation spot, Extended ACL applied close to to Source.
What Is The Difference Between Numbered Acl And Named Acl?
Numbered ACL is created through the use of quantity; Named ACL is created through the use of title,
Removing of particular assertion shouldn’t be attainable in Numbered ACL, It is feasible in Named ACL.
What Is The Difference Between Ipv4 Acl And Ipv6 Acl?
- No normal ACL in IPV6.
- No wildcard masks in IPV6 ACL.
- In IPV6 solely Named ACL’s can be found, there is no such thing as a numbered ACL.
What Is The Difference Between Access-group And Access-class Command?
- Access-group command is used to filter traffic on the Interface (Ethernet, Serial).
- Access-class command is used to filter traffic on Lines (Vty, Console, aux).
What Is The Default Action Of Acl, If No Condition Matches In Acl?
Which Traffic Is Not Filtered By Acl?
Traffic that’s generated by the router itself, ACL goes to filter solely transit traffic.