Compare cert salaries and plan your next career move
rakem wrote: » Hey, When there are access lists like: deny 10.0.0.0 0.255.255.255 any deny 172.16.0.0 0.15.255.255 any deny 192.168.0.0 0.0.255.255 any permit ip any 10.5.4.0 0.0.0.255 These are usually configured on the untrusted interface in an inbound direction right? Since traffic with a source address from the private ranges shouldn't be incoming from the internet... is that accurate? Also, what does this accomplish? deny ip host 255.255.255.255 any Is that to stop broadcasts or something? Cheers
kpjungle wrote: » Yeah, it pretty much guarantees you against spoofing attacks. So configuring it on the untrusted interface inbound, will protect you against those attacks originating from those IP's. And you mean: deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any right?
cowood2676 wrote: » You are correct the deny ip host 255.255.255.255 any. It is for broadcast traffic but not just any broadcast traffic. By default a router will stop any broadcast traffic...unless you have an ip-helper set up for DHCP. In the case that you have a helper set up, the router will send the broadcast out to the specified address as a unicast packet with the a tag as 255.255.255.255 to specify that it is a DHCP request. This line is to keep DHCP spoofing or exhaustion from occurring. You would not use it if you expect to receive any DHCP on that port.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
