Blocked in and out of all interfaces
Blocked on all inbound interfaces, but permitted on all outbound interfaces
Permitted in and out of all interfaces
Blocked on all outbound interfaces, but permitted on all inbound interfaces
Destination router interface
By destination UDP por
By protocol type
By source IP address
By source UDP port
By destination IP address
Extended ACLs use a number range from 1-99.
Extended ACLs end with an implicit permit statement.
Extended ACLs evaluate the source and destination addresses.
Port numbers can be used to add greater definition to an ACL.
Multiple ACLs can be placed on the same interface as long as they are in the same direction.
Close to the source
Close to the destination
On an Ethernet port
On a serial port
An implicit deny any rejects any packet that does not match any ACL statement.
A packet can either be rejected or forwarded as directed by the statement that is matched.
A packet that has been denied by one statement can be permitted by a subsequent statement.
Each statement is checked only until a match is detected or until the end of the ACL statement list.
Each packet is compared to the conditions of every statement in the ACL before a forwarding decision is made.
The first 29 bits of a given IP address will be ignored.
The last 3 bits of a given IP address will be ignored.
The first 32 bits of a given IP address will be checked.
The first 29 bits of a given IP address will be checked.
The last 3 bits of a given IP address will be checked.
FTP traffic originating from network 172.16.3.0/24 is denied.
All traffic is implicitly denied.
FTP traffic destined for the 172.16.3.0/24 network is denied.
Telnet traffic originating on network 172.16.3.0/24 is denied.
Web traffic originating from 172.16.3.0 is permitted.
The second ACL is applied to the interface, replacing the first.
Both ACLs are applied to the interface.
The network administrator receives an error.
Only the first ACL remains applied to the interface.
ISP Fa0/0 outbound
R2 S0/0/1 inbound
R3 Fa0/0 inbound
R3 S0/0/1 outbound
Only named ACLs allow comments.
Names can be used to help identify the function of the ACL.
Named ACLs offer more specific filtering options than numbered ACLs.
Certain complex ACLs, such as reflexive ACLs, must be defined with named ACLs.
More than one named IP ACL can be configured in each direction on a router interface.
It is allowed because of the implicit deny any.
It is dropped because it does not match any of the items in the ACL.
It is allowed because line 10 of the ACL allows packets to 192.168.0.0/16.
It is allowed because line 20 of the ACL allows packets to the host 192.168.10.13.
TCP traffic entering fa0/0 from 172.16.1.254/24 destined to the 10.1.1.0/24 network is permitted.
TCP traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network is permitted.
Telnet traffic entering fa0/0 from 172.16.1.254/24 destined to the 10.1.1.0/24 network is permitted.
Telnet traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network is permitted.
The wildcard mask 0.0.0.0 is assumed.
The access list statements are misconfigured.
All nodes on the 172.16.0.0 network will be denied access to other networks.
No traffic will be allowed to access any nodes or services on the 172.16.0.0 network.
Web traffic does not use port 80 by default.
The access list is applied in the wrong direction.
The access list needs to be placed closer to the destination, on R3.
The range of source addresses specified in line 10 does not include host 192.168.1.50.
Users attempting to access hosts in the 192.168.30.0/24 network will be required to telnet to R3.
Hosts connecting to resources in the 126.96.36.199/24 network have an idle timeout of 15 minutes.
Anyone attempting to telnet into R3 will have an absolute time limit of five minutes.
Telnet access to R3 will only be permitted on Serial 0/0/1.
Standard ACLS must be numbered and cannot be named.
They should be placed as close to the destination as possible.
They can filter based on source and destination address as well as on source and destination port.
When applied to an outbound interface, incoming packets are processed before they are routed to the outbound interface.
Extended ACLs can be named, but standard ACLs cannot.
Unlike standard ACLs, extended ACLS can be applied in the inbound or outbound direction.
Based on payload content, an extended ACL can filter packets, such as information in an e-mail or instant message.
In addition to the source address, an extended ACL can also filter on destination address, destination port, and source port.
The ability to filter traffic based on a specific protocol
The ability to filter traffic based on an entire protocol suite and destination
The ability to specify source and destination addresses to use when identifying traffic
The ability to edit the ACL and add additional statements in the middle of the list without removing and re-creating the list
Wildcard masks are the inverse of the subnet mask.
The word "any" indicates that all corresponding bits must be matched.
The word "host" corresponds to a wildcard mask of 0.0.0.0 in an ACL statement.
A wildcard mask of 0.0.255.255 can be used to create a match for an entire Class B network.
A wildcard mask bit of 1 indicates that the corresponding bit in the address must be matched.
It will deny TCP traffic to the Internet if the traffic is sourced from the 172.22.10.0/24 network.
It will not allow TCP traffic coming from the Internet to enter the network 172.22.10.0/24.
It will allow any TCP traffic from the Internet to enter the network 172.22.10.0/24.
It will permit any TCP traffic that originated from network 172.22.10.0/24 to return inbound on the S0/0/0 interface.
Apply the ACL outbound on the serial0/0/0 interface on router R1.
Apply the ACL outbound on the FastEthernet0/0 interface on router R1.
Include the established keyword at the end of the first line in the ACL.
Include a statement in the ACL to deny the UDP traffic that originates from 188.8.131.52/24 network.
The ACL allows only the mail traffic to the server; the rest of the traffic is blocked.
The ACL permits the IP packets for users on network 172.22.30.0/24 only during a specific time range.
The ACL permits TCP packets only if a connection is established from the server to the network 172.22.0.0/16.
The ACL allows only TCP traffic from users on network 172.22.40.0/24 to access the server; TCP traffic from any other sources is blocked.