IT Certification & Interview Help.

***************************************
CCNP Based INTERVIEW QUESTIONS Part 5
****************************************
ACCESS LISTS
Besides named access lists, what are the two types of IP access lists?
The two types of IP access lists are standard and extended.

What criteria do standard IP access lists use to filter packets?
Standard IP access lists filter packets by the source address. This results in the packet's being permitted or denied for the entire protocol suite based on the source network IP address.

What criteria do extended IP access lists use to filter packets?
Extended IP access lists filter packets by source address, destination address, protocols, and port numbers.

In what two ways can IP access lists be applied to an interface?
Access lists can be applied as inbound or outbound access lists. Inbound access lists process packets as they enter a router's interface and before they are routed. Outbound access lists process packets as they exit a router's interface and after they are routed.

How many access lists can be applied to an interface on a Cisco router?
Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.

How are access lists processed?
Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not applied to any more access list statements. Because of this, the order of the statements within any access list is significant.

What is at the end of each access list?
At the end of each access list, an implicit deny statement denies any packet not filtered in the access list.

What are the number ranges used to define standard and extended IP access lists?
The number ranges used to define standard and extended IP access lists are as follows:
• Standard IP access lists 1 to 99 and 1300 to 1999• Extended IP access lists 100 to 199 and 2000 to 2699

When implementing access lists, what are wildcard masks?
Wildcard masks define the subset of the 32 bits in the IP address that must be matched. Wildcards are used with access lists to specify a host, network, or part of a network. Wildcard masks work exactly the opposite of subnet masks. In subnet masks, 1 bits are matched to the network portion of the address, and 0s are wildcards that specify the host range. In wildcard masks, when 0s are present, the octet address must match.

What is the IOS command syntax used to create a standard IP access list?
Here is the command syntax to create a standard IP access list:
access-list access-list-number {permit deny} source-address [wildcard mask]access-list-number is a number from 1 to 99.
For example:
RouterA(config)#access-list 10 deny 192.168.0.0 0.0.0.255

How can you display all access lists on a Cisco router?
To display all access lists on a Cisco router, use the show access-list command: RouterA#show access-list Standard IP access list 10 deny 192.168.0.0, wildcard bits 0.0.0.255 Extended IP access list 101 permit tcp any any eq www permit udp any any eq domain permit udp any eq domain any permit icmp any any deny tcp 192.168.10.0 0.0.0.255 any eq www