Which access list used to filter upper layer protocol?
A. extended acl
B. standart acl
C. reflexive acl
D. time based acl
E. dynamic acl
Correct Answer: A
Remember the three Ps Per protocol, Per direction, and Per interface
One ACL per protocol- To control traffic flow on an interface an ACL must be defined for each protocol enabled on the interface (example IP, IPX, AppleTalk)
One ACL per direction- ACLs control traffic in one direction at one time on an interface. You must create two
separate ACLs to control traffic in both inbound and outbound connections.
One ACL per interface- ACLs control traffic for an interface such as Fast Ethernet.
Dynamic or lock-and-key ACLs are available for Internet Protocol traffic only. Dynamic ACLs starts with the
application of an extended ACL to block traffic through the router.
Common reasons to use Dynamic ACLs are:
When you want a specific remote user or group of remote users to access a host within your network.
Connecting to the outside of your network (Internet) Lock-and-key authenticates the user and then permits
limited access through your firewall router.
You want a subset of hosts on a local network to access a host from a remote network that is protected by a
Lock-and-key requires users to authenticate through an AAA, TACACS server or other security server before it allows access.
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. Generally are used to allow outbound traffic and to limit inbound traffic by using sessions that originate inside the router. When a router sees a new outbound connection it adds an entry to a temporary ACL to allow replies back into the network. Reflexive ACLs can be defined only with an extended named IP ACL. They cannot be defined with
numbered or standard named ACLs or with other protocols.
Time-Based ACLs are like extended ACLs in function, but they allow access control based on time. To use
time-based ACLs you create a time range that defines specific times of the day and days of the week. You use the time range with a name and then refer to it by a function. The time range relies on the router system clock. This feature works with NTP (Network Time Protocol) synchronization, but the router clock can also be used.
You can assign a number based on whether your ACL is standard or extended
1 to 99 and 1300 to 1999 are Standard IP ACL
100 to 199 and 2000 to 2699 are Extended IP ACL
You cannot add or delete entries within the ACL (You have to totally delete the ACL in order to edit it)
You can assign names to the ACL instead of numbers.
Names can contain alphanumeric characters
Recommended to type the name in all CAPITAL LETTERS
Names cannot contain spaces or punctuation and must begin with an alphabetic character
You can add or delete entries within the ACL
You can specify whether the ACL is standard or extended