From: ehiwe peter (ccie.in.nigeria@gmail.com)
Date: Fri Aug 22 2008 - 13:54:51 ART
I beleive the answer to that problem is in the doc cd ,from the question i
can deduce that you need only an inbound filter(acl) that denies
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 which are the private address ranges
and the reserved loopbacks are in the ip address range 127.0.0.0/8
Then you enable unicast rpf on the interface and apply the acl.
Solution
------------
int s0
ip access-group 111 in
ip verify unicast reverse-path
access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
On 8/21/08, Mohamed Tandou <dtandou@gmail.com> wrote:
>
> Hello Peter,
> i am working on this problem:
>
> Protect your local network with unicast reserve path forwarding from dos
> attacks by some illegal traffic entering Fa0/0 on R8. Filter private network
> (A,B,C) addresses and reserved loop back addresses with inbound filter on
> Fa0/0 interface on R8.
>
> Since there is no CIDR addresses define, For egress filtering should i
> permit my loopback and internal ip addresses
> and deny everything else? for ingress filtering permit same network and
> deny
> everything else?
>
> Thanks
>
> Moh
>
>
> On Thu, Aug 21, 2008 at 12:00 PM, ehiwe peter <ccie.in.nigeria@gmail.com>wrote:
>
>> It is not necesary to configure inbound and outbound acl with unicast
>> RPF it all depends on the application.The inbound and outbound acl is suited
>> for service provider environments where you want only addresses from your
>> cidr block to source traffic(applied outbound) and *any private address
>> or reserved addresses and your own cidr block* is denied from the
>> internet(applied inbound).The ingress and egress filters just makes unicast
>> RPF more effective.
>>
>> suggest reading te doc cd link again
>> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_unicast_rpf_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001323
>>
>>
>> On Thu, Aug 21, 2008 at 3:37 PM, Mohamed Tandou <dtandou@gmail.com>wrote:
>>
>>
>>> Hello GS,
>>> When configuring Unicast Reverse Path Forwarding per DocCd you should
>>> configure egress filtering and ingress filtering.
>>> For egress filtering should i permit my loopback and internal ip
>>> addresses
>>> and deny everything else? for ingress filtering permit same network and
>>> deny
>>> everything else? Please let me know
>>>
>>> Thanks
>>>
>>>
>>> Moh
>>>
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:31 ART