Which of the following statements are TRUE regarding Cisco access lists? (Choose two.)
A.
In an inbound access list, packets are filtered as they enter an interface.
B.
In an inbound access list, packets are filtered before they exit an interface.
C.
Extended access lists are used to filter protocol-specific packets.
D.
You must specify a deny statement at the end of each access list to filter unwanted traffic.
E.
When a line is added to an existing access list, it is inserted at the beginning of the access list.
Access lists may be used for purposes filtering IP traffic, defining traffic to Network Address Translate (NAT) or encrypt, or filtering non-IP protocols such as AppleTalk ,IPX etc.
Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the access lists.
Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.
There are many reasons to configure access lists; for example, you can use access lists to restrict contents of routing updates or to provide traffic flow control. One of the most important reasons to configure access lists is to provide security for your network, which is the focus of this chapter.
You should use access lists to provide a basic level of security for accessing your network. If you do not configure access lists on your router, all packets passing through the router could be allowed onto all parts of your network.
Access lists can allow one host to access a part of your network and prevent another host from accessing the same area. In Figure 14, host A is allowed to access the Human Resources network, and host B is prevented from accessing the Human Resources network.
Figure 14 Using Traffic Filters to Prevent Traffic from Being Routed to a Network
You can also use access lists to decide which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic.
When to Configure Access Lists
Access lists should be used in “firewall” routers, which are often positioned between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network.
To provide the security benefits of access lists, you should at a minimum configure access lists on border routers—routers situated at the edges of your networks. This provides a basic buffer from the outside network, or from a less controlled area of your own network into a more sensitive area of your network.
On these routers, you should configure access lists for each network protocol configured on the router interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an interface.
Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol.
Note Some protocols refer to access lists as filters.
Basic Versus Advanced Access Lists
This chapter describes how to use standard and static extended access lists, which are the basic types of access lists. Some type of basic access list should be used with each routed protocol that you have configured for router interfaces.
Besides the basic types of access lists described in this chapter, there are also more advanced access lists available, which provide additional security features and give you greater control over packet transmission. These advanced access lists and features are described in the other chapters within the part “Traffic Filtering and Firewalls.”
Overview of Access List Configuration
Each protocol has its own set of specific tasks and rules that are required in order for you to provide traffic filtering. In general, most protocols require at least two basic steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface.
The following sections describe these two steps:
•Creating Access Lists
•Applying Access Lists to Interfaces
Note that some protocols refer to access lists as filters and refer to the act of applying the access lists to interfaces as filtering.
http://ciscoiseasy.blogspot.com/2011/03/lesson-47-packet-filtering-with.html
INBOUND ACLs
This type of ACL analyzes the packets coming towards the router (the interface where packet was received on). Based on the criteria defined in the ACL, the packet will further be processed (layer 3 lookup performed trying to find the outbound interface), or dropped.