Access Control Lists Homework - Wade W Schlueter

loyalsockvillemobΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

79 εμφανίσεις

ACLs!


Wade Schlueter; August 16, 2010

1.

Just to get you ready for the test, list all of the types of access
-
lists and their range of numbers.

a.

IP


-

1 to 99

b.

Extended IP

-

100 to 199

c.

XNS


-

400 to 499

d.

Extended XNS

-

500 to 599

e.

AppleTalk

-

600 to 699

f.

IPX


-

800 to 899

g.

Extended IPX


-

900 to 999

h.

IPX SAP



-

1000 to 1099

i.

Standard VINES


-

1 to 100

j.

Extended VINES


-

101 to 200

k.

Simple VINES


-

201 to 300

2.

List three important things that are the same for both standard and extended access
-
lists.

a.

You can specify

only one ACL
(
per protocol

for extended ACLs)

per interface.

b.

Control network traffic on the inside and outside of the network.

c.

Both Standard ACLs and Extended ACLs use source oriented information.

3.

Why should extended access
-
lists be applied to closest to
the source while standard lists should be places
closest to the destination?

a.

Extended Access lists should be applied closest to the source because it filters information based on the
source, protocol, and port. Not doing so allows more network information
to bounce around on a network
than what is necessary and puts a higher workload on routers because more parameters are being
specified.

b.

Standard access
-
lists should be applied closest to the destination because they are source based only.
Meaning that it i
s only concerned with the destination of data. Putting multiple standard ACLs in the
network applies rules which merely slow down the network more than is necessary, when the goal of
ACLs are to control access to the Internet as well as Internet access to
the internal network.

4.

What are the variables that make extended access
-
lists so powerful?

a.

Protocol and port number variables make Extended ACLs powerful

5.

Write out the generic form of the extended access
-
list command.

a.

access
-
list (access
-
list number) (permi
t/deny) protocol source source
-
mask destination destination
-
mask
operand? (port number)

6.

List at least six different protocols that can be filtered using an extended access
-
list.

a.

FTP (port 20 for data), FTP (port 21 for programs), Telnet (port 23), SMTP (Po
rt 25), DNS (Port 53),
TFTP (Port 69), HTTP (Port 80), POP3 (Port 125), IMAP (Port 143), etc!

7.

Write out an access
-
list command(s) that will prevent telnet sessions with router 1 (ip address 204.274.34.1)
but will permit ping and trace functions from the ne
twork to which the router is attached. The
administrator’s workstation is 204.24.34.100 and telnet sessions from this workstation should be permitted.

a.

a
ccess
-
list 7 deny telnet any 204.274.34.1 0.0.0.0 23

b.

access
-
list 7 permit telnet 204.24.34.100 0.0.0.0 2
07.274.34.1 0.0.0.0

c.

a
ccess
-
list 7 permit ICMP any 204.274.34.1 0.0.0.0

8.

Write out the command needed to apply this access
-
list.

a.

config t

b.

interface fa0/0

c.

ip access
-
group 7

d.

end

9.

The following diagram shows a router that is being set up as a firewall to protect

the network from
unauthorized traffic and at the same time allowing legitimate traffic to the web server. Before you start
writing any access
-
list commands, list the objectives that need to be achieved by the access
-
list.

a.

Extended ACL s for web server inc
lude HTTP, SMTP, and Telnet to permit traffic inwards and outwards.

b.

ACL to block traffic to the web server to block all other IP addresses not using those protocols.


ACLs!


Wade Schlueter, August 16, 2010

10.

Outside access to the web server should include H
TTP for the web pages, Telnet and SMTP sessions for
mail. Write the necessary commands to allow this type of traffic to the web server.

a.

Access
-
list 10 HTTP any 205.100.25.15 0.0.0.0

b.

Access
-
list 10 SMTP any 205.100.25.15 0.0.0.0

c.

Access
-
list 10 telnet any 20
5.100.25.15 0.0.0.0

11.

Write out the command to apply this access
-
list and indicate on which interface it would be applied.

a.

config t

b.

interface s0/0

c.

ip access
-
group 10

d.

end