From: ehiwe peter (ccie.in.nigeria@gmail.com)
Date: Fri Aug 22 2008 - 13:55:56 ART
forgot one line
access-list 111 permit ip any any
On 8/22/08, ehiwe peter <ccie.in.nigeria@gmail.com> wrote:
>
> I beleive the answer to that problem is in the doc cd ,from the question i
> can deduce that you need only an inbound filter(acl) that denies
> 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 which are the private address
> ranges and the reserved loopbacks are in the ip address range 127.0.0.0/8
> Then you enable unicast rpf on the interface and apply the acl.
>
> Solution
> ------------
> int s0
> ip access-group 111 in
> ip verify unicast reverse-path
>
>
> access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
>
> access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
>
> access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
>
> access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
>
>
>
>
> On 8/21/08, Mohamed Tandou <dtandou@gmail.com> wrote:
>>
>> Hello Peter,
>> i am working on this problem:
>>
>> Protect your local network with unicast reserve path forwarding from dos
>> attacks by some illegal traffic entering Fa0/0 on R8. Filter private network
>> (A,B,C) addresses and reserved loop back addresses with inbound filter on
>> Fa0/0 interface on R8.
>>
>> Since there is no CIDR addresses define, For egress filtering should i
>> permit my loopback and internal ip addresses
>> and deny everything else? for ingress filtering permit same network and
>> deny
>> everything else?
>>
>> Thanks
>>
>> Moh
>>
>>
>> On Thu, Aug 21, 2008 at 12:00 PM, ehiwe peter <ccie.in.nigeria@gmail.com
>> > wrote:
>>
>>> It is not necesary to configure inbound and outbound acl with unicast
>>> RPF it all depends on the application.The inbound and outbound acl is suited
>>> for service provider environments where you want only addresses from your
>>> cidr block to source traffic(applied outbound) and *any private address
>>> or reserved addresses and your own cidr block* is denied from the
>>> internet(applied inbound).The ingress and egress filters just makes unicast
>>> RPF more effective.
>>>
>>> suggest reading te doc cd link again
>>> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_unicast_rpf_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001323
>>>
>>>
>>> On Thu, Aug 21, 2008 at 3:37 PM, Mohamed Tandou <dtandou@gmail.com>wrote:
>>>
>>>
>>>> Hello GS,
>>>> When configuring Unicast Reverse Path Forwarding per DocCd you should
>>>> configure egress filtering and ingress filtering.
>>>> For egress filtering should i permit my loopback and internal ip
>>>> addresses
>>>> and deny everything else? for ingress filtering permit same network and
>>>> deny
>>>> everything else? Please let me know
>>>>
>>>> Thanks
>>>>
>>>>
>>>> Moh
>>>>
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:31 ART