From: Jody Davis \(joddavis\) (joddavis@cisco.com)
Date: Tue Aug 02 2005 - 14:11:49 GMT-3
All,
Doit Lab 4, 4.12 Security states:
* R5 must accept packets sourced from AS400 networks advertised in
a previous task from R4 only.
* Do not use "ip access-group" to accomplish this task
The network from AS400 are the 192.168.100.64 --> 192.168.100.127
Since we want to "only allow networks from AS400", would this be the
correct configuration?
int vlan50
ip verify unicast reverse-path 197
!
access-list 197 permit ip 192.168.100.64 0.0.0.63
access-lust 197 deny ip any any
The netmasters "Showit" Example shows that just the opposite with the
acl..
access-list 197 deny ip 192.168.100.64 0.0.0.63
access-lust 197 permit ip any any
________________________________
Access Control Lists and Logging
If an ACL is specified in the command, then when (and only when) a
packet fails the Unicast RPF check, the ACL is checked to see if the
packet should be dropped (using a deny statement in the ACL) or
forwarded (using a permit statement in the ACL). Whether a packet is
dropped or forwarded, the packet is counted in the global IP traffic
statistics for Unicast RPF drops and in the interface statistics for
Unicast RPF.
If no ACL is specified in the Unicast RPF command, the router drops the
forged or malformed packet immediately and no ACL logging occurs. The
router and interface Unicast RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for
the ACL entries used by the Unicast RPF command. Using the log
information, administrators can see what source addresses are being used
in the attack, the time the packets arrived at the interface, and so on.
Jody
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3