Re: access-lists for routing proto's

From: Eric Cables (skatter@blackened.net)
Date: Tue Dec 02 2003 - 02:37:13 GMT-3

• Next message: JamesGEF: "Re: IGP Redistribution scenario"
• Previous message: Eric Cables: "Re: IGP Redistribution scenario"
• Maybe in reply to: Driessens.Hans: "access-lists for routing proto's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hans,

I think you're making this more complicated than it needs to be. If all
they're asking for is to filter all but port 80 to 1.2.3.4, then why not
do just that, and permit everything else?

!
ip acess-list extended FW_E0_IN
 permit tcp any host 1.2.3.4 eq 80
 deny ip any host 1.2.3.4
 permit ip any any
!

On Mon, 1 Dec 2003, Driessens.Hans wrote:

> Hi group
>
> If a question at the lab is someting like
>
> "make an ingress filter on ethernet from r1 that only allows http to server
> 1.2.3.4 and make sure that routing isn't affected"
>
>
> r1, r2 and r3 are connected to that ethernet segment and are speaking OSPF.
> All the ospf prio's area the same, the ip addresses area 1.1.1.x
> (x=routernumber). Router 1 and 2 are also doing bgp...
>
> One solution could be
>
> router r1
> int e0
> ip address 1.1.1.1 255.255.255.0
> ip access-group FW_E0_IN in
> !
> ip acess-list extended FW_E0_IN
> permit tcp any host 1.2.3.4 eq 80
> permit ospf any any
> permit tcp host 1.1.1.2 host 1.1.1.1 eq bgp
> permit tcp host 1.1.1.2 eq bgp host 1.1.1.1
> !
>
>
> another solution could be
>
> router r1
> int e0
> ip address 1.1.1.1 255.255.255.0
> ip access-group FW_E0_IN in
> !
> ip acess-list extended FW_E0_IN
> permit tcp any host 1.2.3.4 eq 80
> permit ospf host 1.1.1.2 host 1.1.1.1
> permit ospf host 1.1.1.2 host 224.0.0.5
> permit ospf host 1.1.1.2 host 224.0.0.6
> permit ospf host 1.1.1.3 host 1.1.1.1
> permit ospf host 1.1.1.3 host 224.0.0.5
> permit ospf host 1.1.1.3 host 224.0.0.6
> permit tcp host 1.1.1.2 gt 1023 host 1.1.1.1 eq bgp
> permit tcp host 1.1.1.2 eq bgp host 1.1.1.1 gt 1023
> !
>
>
> The second solution is easier to mess up.... but is also more accurate and
> the only correct answer in my opinion. Does anybody know what's considered
> true at the lab. Can there be a difference in the R/S lab versus the
> security lab.
>
> Hans Driessens
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
skatter
Black Thursday sysop / Scene Revivalist
telnet://blackthursday.net

• Next message: JamesGEF: "Re: IGP Redistribution scenario"
• Previous message: Eric Cables: "Re: IGP Redistribution scenario"
• Maybe in reply to: Driessens.Hans: "access-lists for routing proto's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:34 GMT-3