ISCW - ACL questions
Hey,
When there are access lists like:
deny 10.0.0.0 0.255.255.255 any
deny 172.16.0.0 0.15.255.255 any
deny 192.168.0.0 0.0.255.255 any
permit ip any 10.5.4.0 0.0.0.255
These are usually configured on the untrusted interface in an inbound direction right? Since traffic with a source address from the private ranges shouldn't be incoming from the internet... is that accurate?
Also, what does this accomplish?
deny ip host 255.255.255.255 any
Is that to stop broadcasts or something?
Cheers
When there are access lists like:
deny 10.0.0.0 0.255.255.255 any
deny 172.16.0.0 0.15.255.255 any
deny 192.168.0.0 0.0.255.255 any
permit ip any 10.5.4.0 0.0.0.255
These are usually configured on the untrusted interface in an inbound direction right? Since traffic with a source address from the private ranges shouldn't be incoming from the internet... is that accurate?
Also, what does this accomplish?
deny ip host 255.255.255.255 any
Is that to stop broadcasts or something?
Cheers
CCIE# 38186
showroute.net
showroute.net
Comments
-
kpjungle Member Posts: 426Hey,
When there are access lists like:
deny 10.0.0.0 0.255.255.255 any
deny 172.16.0.0 0.15.255.255 any
deny 192.168.0.0 0.0.255.255 any
permit ip any 10.5.4.0 0.0.0.255
These are usually configured on the untrusted interface in an inbound direction right? Since traffic with a source address from the private ranges shouldn't be incoming from the internet... is that accurate?
Also, what does this accomplish?
deny ip host 255.255.255.255 any
Is that to stop broadcasts or something?
Cheers
Yeah, it pretty much guarantees you against spoofing attacks. So configuring it on the untrusted interface inbound, will protect you against those attacks originating from those IP's.
And you mean:
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
right?Studying for CCNP (All done) -
rakem Member Posts: 800Yeah, it pretty much guarantees you against spoofing attacks. So configuring it on the untrusted interface inbound, will protect you against those attacks originating from those IP's.
And you mean:
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
right?
Yea.... forgot the IP.
So you wouldn't configure something like that on the inside (trusted interface) as it would pretty much block all out going traffic right?CCIE# 38186
showroute.net -
cowood2676 Member Posts: 27 ■□□□□□□□□□You are correct the deny ip host 255.255.255.255 any. It is for broadcast traffic but not just any broadcast traffic. By default a router will stop any broadcast traffic...unless you have an ip-helper set up for DHCP. In the case that you have a helper set up, the router will send the broadcast out to the specified address as a unicast packet with the a tag as 255.255.255.255 to specify that it is a DHCP request. This line is to keep DHCP spoofing or exhaustion from occurring. You would not use it if you expect to receive any DHCP on that port.
-
kpjungle Member Posts: 426cowood2676 wrote: »You are correct the deny ip host 255.255.255.255 any. It is for broadcast traffic but not just any broadcast traffic. By default a router will stop any broadcast traffic...unless you have an ip-helper set up for DHCP. In the case that you have a helper set up, the router will send the broadcast out to the specified address as a unicast packet with the a tag as 255.255.255.255 to specify that it is a DHCP request. This line is to keep DHCP spoofing or exhaustion from occurring. You would not use it if you expect to receive any DHCP on that port.
In this case, the 255.255.255.255 is the source address, so packets comming from a source with the broadcast stated as the source address (for example a denial of service attack), will be blocked.Studying for CCNP (All done)