From: Kenneth Wygand (KWygand@customonline.com)
Date: Thu Sep 25 2003 - 11:39:06 GMT-3
Lee,
Not that I know of. Additionally, if this is for an edge router, there
are other IP networks you should block out as well - specifically
multicast IP addresses, IP addresses known to be part of your internal
network, as well as various ranges that were developed for testing
purposes for which there is no legitimate use on the Internet.
Check out the National Security Associations Security Recommendation
guide.
http://nsa2.www.conxion.com/cisco/guides/cis-2.pdf
The information related to the IP addresses you mention can be found on
pages 86-87 of this PDF file.
This is really an invaluable paper.
Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
Custom Computer Specialists, Inc.
"It's not just about ending up where you want to be, it's about making
the most of the trip there."
-Anonymous
-----Original Message-----
From: Carter, Lee [mailto:Lee.Carter@CommerceBank.com]
Sent: Thursday, September 25, 2003 10:29 AM
To: ccielab@groupstudy.com
Subject: Easy access-list but is there a better way
Hi all,
Does anyone know of a quick easy way to Block RFC1918 ip addresses
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
http://www.faqs.org/rfcs/rfc1918.html
I know you can deny 10/8, 172.16/12 and 192.168/16 but that would take 3
commands to deny and 1 to permit any after that (4 commands total) is
there
a quick dirty 1 or 2 line command that would do the same like deny
RFC1918?
thanks,
Lee
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:37 GMT-3