1. Smart network engineers carefully design and manage networks to control traffic flow and network security through access lists. Access lists allow segmentation of network access and filtering of traffic but cannot replace firewalls. 2. Access lists begin working immediately after being applied to an interface and allow removal of individual lines. The no access-list command removes an access list. Wildcard masks determine which bits in an address are significant for access lists. 3. Extended access lists can filter traffic based on source and destination addresses, protocol, and port number while standard lists filter on source address only. Named access lists identify themselves through names instead of numbers.

1. Chapter 10
True/False
Indicate whether the statement is true or false.
____ 1. Smart network engineers pay close attention to network traffic flow and security when they design and man-
age their networks.
____ 2. With careful planning, you can create access lists that control which traffic crosses particular links, and which
segments of your network will have access to others.
____ 3. Access lists can take the place of more advanced security measures, such as firewalls.
____ 4. Access lists begin working the second they are applied to an interface.
____ 5. You can remove individual lines in an access list.
Multiple Choice
Identify the choice that best completes the statement or answers the question.
____ 6. When making changes, you must remove the access list, using the ____ command.
a. no access-list [list number]
b. access-list off [list number]
c. off access-list [list number]
d. access-list [list number] no
____ 7. With the ____ command, an administrator can schedule the router to reload in a certain number of minutes,
hours, or even days.
a. interval c. restart
b. refresh d. reload
____ 8. If you create and apply the lists and they have the intended results, you can cancel the scheduled reload with
the ____ command.
a. reload 0 c. reload cancel
b. reload abort d. reload off
____ 9. Traffic coming in to “the man in the router,” through any of the interfaces, needs to be filtered using ____
traffic filters.
a. outgoing c. exterior
b. incoming d. outbound
____ 10. To apply the inbound access list 1 to an interface, you use the following command: ____.
a. ip access-group 1 out c. ip access-group 1 ext
b. ip access-group 1 int d. ip access-group 1 in
____ 11. The following command sets an outbound access list filter: ____.
a. ip access-group 1 ext c. ip access-group 1 int
b. ip access-group 1 out d. ip access-group 1 in
____ 12. You must use the ____ command to save the list after configuration if you want it to survive a router reload.
a. copy reload c. copy run start

2. b. copy start on d. copy run reload
____ 13. Routers use ____ to determine which bits in an address will be significant.
a. wildcard masks c. list numbers
b. access masks d. address rules
____ 14. It is possible to replace the 0.0.0.0 255.255.255.255 entry, which represents all hosts and all networks, with
the ____ keyword.
a. all c. each
b. any d. none
____ 15. To view the access lists defined on your router, use the ____ command.
a. show access-lists c. display access-lists
b. show lists d. access-lists show
____ 16. To view which interfaces have IP access lists set, use the ____ command.
a. show ip in c. show ip interface
b. show ip out d. show ip any
____ 17. Use the ____ command to remove the application of the list.
a. no accessgroup [ip][list #][direction]
b. no ip [accessgroup][list #][direction]
c. no ip access-list [list #][direction]
d. no ip access-group [list #][direction]
____ 18. Regarding extended IP access lists, the ____ keyword is short for a wildcard mask of 0.0.0.0.
a. host c. none
b. any d. all
____ 19. To remove an extended IP access list from an interface, you enter interface configuration mode and use the
____ command.
a. no ip ext access-group [list #] [in|out]
b. extended no ip access-group [list #] [in|out]
c. no ext access-group [list #] [in|out]
d. no ip access-group [list #] [in|out]
____ 20. To name a standard IP access list, use the following syntax: ____.
a. ip access-list named [name]
b. named access-list standard [name]
c. ip access-list standard [name]
d. ip named-access-list [name]
____ 21. To name an extended IP access list, use the following syntax: ____.
a. extended ip named-access-list [name]
b. ip access-list extended [name]
c. named-access-list extended [name]
d. ip access-list named [name]
____ 22. To apply a standard IP named list to an interface, use the following syntax: ____.
a. ip standard access-group [name] [in | out]
b. ip standard-group [name] [in | out]
c. ip apply access-group [name] [in | out]
d. ip access-group [name] [in | out]

3. ____ 23. ____ provides a GUI-based configuration tool for Cisco devices.
a. CLI c. CCL
b. SDM d. ACL
____ 24. SDM allows you to easily create a standard or an extended access list or, as it is known in the SDM, a(n)
____.
a. VTY c. ACL
b. TTY d. CLI
____ 25. Unlike the CLI, the SDM does allow a router to be configured as a firewall. To begin this task, click the ____
icon in the Tasks panel.
a. Firewall and ACL c. Routing
b. Security Audit d. NAT
____ 26. The configuration of a(n) ____ is the main difference between the Basic and Advance firewall wizards.
a. NAT server c. intranet
b. DMZ d. proxy server
Completion
Complete each statement.
27. ____________________ are permit or deny statements that filter traffic based on the source address, destina-
tion address, protocol type, and port number of a packet.
28. The access list ends with an implicit ____________________ statement, which blocks all packets that do not
meet the requirements of the access list.
29. Traffic coming in to the “man in the router,” through any of the interfaces, is considered
____________________.
30. Access lists to block a router’s outward delivery must be applied as ____________________ filters.
31. ____________________ IP access lists filter network traffic based on the source IP address only.
Matching
Match each item with a statement below:
a. Access lists f. Standard IP access lists
b. Lack of planning g. Extended IP access lists
c. no access-list [list #] h. Named access lists
d. Wildcard mask i. Single host wildcard mask
e. Partial masking
____ 32. permit or deny packets based only on the source address
____ 33. the mixing of 0s and 1s in a wildcard mask octet
____ 34. built into the Cisco IOS; solve many problems associated with traffic flow and security
____ 35. use names instead of numbers to identify themselves
____ 36. one of the most common problems associated with access lists

4. ____ 37. filter by source IP address, destination IP address, protocol type, and application port number
____ 38. removes an access list
____ 39. the default for standard IP access lists
____ 40. determines which bits of the source address are significant
Short Answer
41. Why should you use a text editor to create access lists?
42. What are the rules all access lists follow?
43. Describe each element of the standard IP access list configuration syntax.
44. Briefly describe wildcard masks.
45. How can you monitor standard IP access lists?
46. Describe each element of the extended IP access list configuration syntax.
47. Where should you place standard and extended IP access lists?
48. How can you monitor extended IP access lists?
49. What are some of the advantages of using named access lists?

5. 50. What kind of tasks can you perform on the SDM’s Interfaces and Connection screen?
Chapter 10
Answer Section
TRUE/FALSE
1. ANS: T PTS: 1 REF: 260
2. ANS: T PTS: 1 REF: 261
3. ANS: F PTS: 1 REF: 261
4. ANS: T PTS: 1 REF: 261
5. ANS: F PTS: 1 REF: 263
MULTIPLE CHOICE
6. ANS: A PTS: 1 REF: 261
7. ANS: D PTS: 1 REF: 261
8. ANS: C PTS: 1 REF: 262
9. ANS: B PTS: 1 REF: 263
10. ANS: D PTS: 1 REF: 263
11. ANS: B PTS: 1 REF: 263
12. ANS: C PTS: 1 REF: 264
13. ANS: A PTS: 1 REF: 265
14. ANS: B PTS: 1 REF: 269
15. ANS: A PTS: 1 REF: 269
16. ANS: C PTS: 1 REF: 269
17. ANS: D PTS: 1 REF: 273
18. ANS: A PTS: 1 REF: 275
19. ANS: D PTS: 1 REF: 277
20. ANS: C PTS: 1 REF: 279
21. ANS: B PTS: 1 REF: 279
22. ANS: D PTS: 1 REF: 279
23. ANS: B PTS: 1 REF: 280
24. ANS: C PTS: 1 REF: 280
25. ANS: A PTS: 1 REF: 286
26. ANS: B PTS: 1 REF: 286
COMPLETION
27. ANS: Access lists
PTS: 1 REF: 260
28. ANS: deny any
PTS: 1 REF: 260
29. ANS: inbound

6. PTS: 1 REF: 263
30. ANS: outbound
PTS: 1 REF: 263
31. ANS: Standard
PTS: 1 REF: 265
MATCHING
32. ANS: F PTS: 1 REF: 268
33. ANS: E PTS: 1 REF: 266
34. ANS: A PTS: 1 REF: 260
35. ANS: H PTS: 1 REF: 279
36. ANS: B PTS: 1 REF: 261
37. ANS: G PTS: 1 REF: 273
38. ANS: C PTS: 1 REF: 263
39. ANS: I PTS: 1 REF: 279
40. ANS: D PTS: 1 REF: 265
SHORT ANSWER
41. ANS:
To ease the administrative load associated with access lists, Cisco recommends using a text editor to create
them. You can then easily make changes to the list and apply it to the router configuration using copy and
paste. You should place a no access-list [list #] command as the first line of the text file, which
allows you to completely remove an access list from a router. If you do not use this command, the lines of the
access list in the text file will be appended to the end of the existing list when you paste it into the configura-
tion.
PTS: 1 REF: 263
42. ANS:
In summary, all access lists follow these rules:
• Routers apply lists sequentially in the order in which you type them into the router.
• Routers apply lists to packets sequentially, from the top down, one line at a time.
• Packets are processed only until a match is made, and then they are acted upon based on the access list crite-
ria contained in access list statements.
• Lists always end with an implicit deny. Routers discard any packets that do not match any of the access
list statements.
• Access lists must be applied to an interface as either inbound or outbound traffic filters.
• Only one list, per protocol, per direction can be applied to an interface.
• Access lists are effective as soon as they are applied; however, you must use the copy run start com-
mand to save the list after configuration if you want it to survive a router reload.
PTS: 1 REF: 264
43. ANS:
To configure standard IP access lists, you must create the list and then apply it to an interface using the fol-
lowing syntax:

7. access-list [list #] [permit|deny] [source address] [source wildcard
mask]
The brackets in each command syntax are not part of the command; they group items that
are replaced within each specific entry. The following list explains each element of the
standard IP access list configuration syntax:
• [list #]—Standard IP access lists are represented by a number in the range of 1–99 (in IOS versions 11.2 and
greater, they can also be represented by text names).
• [permit|deny]—Used to specify the nature of the access list line. It is either a permit or a deny statement.
• [source address]—The IP address of the source.
• [source wildcard mask]—A wildcard mask, or inverse mask, applied to determine which bits of the source
address are significant.
PTS: 1 REF: 265
44. ANS:
Wildcard masks are one of the most important concepts in IP access lists. Routers use them to determine
which bits in an address will be significant. Unlike subnet masks, 0s are placed in bit positions deemed signif-
icant, and 1s are placed in positions that are not significant. In other words, where there is a 0 in the mask, the
corresponding bit in the incoming packet (either 0 or 1) must match the bit in the IP address in the access list.
If there is no match, the packet passes to the next line in the access list.
PTS: 1 REF: 265
45. ANS:
Three main commands are available for monitoring access lists on your router. The first two, show ac-
cess-lists and show ip access-lists, display the exact syntax of all access lists and IP access
lists, respectively. The show interfaces or show ip interface command is used to verify that
an access list has been successfully applied to an interface. It is a good idea to run each of these commands af-
ter creating and applying access lists, to visually inspect and verify that statements were typed correctly and
that the lists will function as entered. Use the no access-list [list #] command to remove the list
and the no ip access-group [list #][direction] command to remove the application of the
list.
PTS: 1 REF: 273
46. ANS:
To configure extended IP access lists, you must create the list and then apply it to an interface using the fol-
lowing syntax. A detailed explanation of each element follows the example.
access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port]
[destination IP address] [destination wildcard mask] [operator] [port] [log]
• [list #]—Extended IP access lists are represented by a number in the range of 100–199 (in IOS versions 11.2
and greater, they can also be represented by text names).
• [permit|deny]—Used to specify the nature of the access list line. It is either a permit or a deny statement.
• [protocol]—The IP protocol to be filtered can be IP (which includes all protocols in the TCP/IP suite), TCP,
UDP, ICMP, or others.
• [source IP address]—The IP address of the source.
• [source wildcard mask]—A wildcard mask, or inverse mask, applied to determine which bits of the source
address are significant.
• [destination IP address]—The IP address of the destination.
• [destination wildcard mask]—A wildcard mask, or inverse mask, applied to determine which bits of the des-
tination address are significant.

8. • [operator]—Can contain lt (less than), gt (greater than), eq (equal to), or neq (not equal to). It is used
if an extended list filters by a specific port number.
• [port]—If necessary, the port number of the protocol to be filtered. Alternatively, a service using TCP, such
as www or ftp, can be specified.
• [log]—Turns on logging of access list activity.
PTS: 1 REF: 273-274
47. ANS:
Once an extended IP access list is created, it must be applied to an interface, just like a standard list. The dif-
ference is the placement of the list. Standard IP access lists examine the source address only. As a result, you
must place them as close to the destination as possible to avoid blocking traffic bound for another interface or
network. On the other hand, extended IP access lists are able to filter based on source and destination. There-
fore, they are placed as close to the source as possible.
PTS: 1 REF: 277
48. ANS:
The same commands used to monitor standard IP access lists are used to monitor extended IP access lists. If
you want to view the access lists configured on your router, you use the show access-lists or show
ip access-lists command. To see if the list has been applied to an interface, use the show inter-
faces or show ip interface command.
Extended IP lists keep track of the number of packets that pass each line of an access list. These matches or
counters can be reset to zero for troubleshooting purposes. The clear access-list counters [list
#] command clears the counters. The no access-list [list#] command removes the list and the no ip
access-group [list#] [direction] command removes the application of the list.
PTS: 1 REF: 278
49. ANS:
The naming feature allows you to maintain security by using an easily identifiable access list. It also removes
the limit of 100 lists per filter type. In addition, with named access lists lines can be selectively deleted in the
ACL. This feature does not allow you to add lines to the ACL; any lines added to a named ACL are applied to
the end of the list. Named ACLs provide greater flexibility to network administrators who work in environ-
ments where large numbers of ACLs are needed, such as a large ISP.
PTS: 1 REF: 279
50. ANS:
On the Interfaces and Connection screen, you can perform tasks related to:
• Interfaces and Connections
• Firewall and ACL
• VPN
• Security Audit
• Routing
• NAT
• Intrusion Prevention
• Quality of Service
• NAC
• Additional Tasks
PTS: 1 REF: 281