ISCW - ACL questions

rakemrakem Member Posts: 800
Hey,

When there are access lists like:


deny 10.0.0.0 0.255.255.255 any
deny 172.16.0.0 0.15.255.255 any
deny 192.168.0.0 0.0.255.255 any
permit ip any 10.5.4.0 0.0.0.255

These are usually configured on the untrusted interface in an inbound direction right? Since traffic with a source address from the private ranges shouldn't be incoming from the internet... is that accurate?


Also, what does this accomplish?

deny ip host 255.255.255.255 any

Is that to stop broadcasts or something?

Cheers
CCIE# 38186
showroute.net

Comments

  • kpjunglekpjungle Member Posts: 426
    rakem wrote: »
    Hey,

    When there are access lists like:


    deny 10.0.0.0 0.255.255.255 any
    deny 172.16.0.0 0.15.255.255 any
    deny 192.168.0.0 0.0.255.255 any
    permit ip any 10.5.4.0 0.0.0.255

    These are usually configured on the untrusted interface in an inbound direction right? Since traffic with a source address from the private ranges shouldn't be incoming from the internet... is that accurate?


    Also, what does this accomplish?

    deny ip host 255.255.255.255 any

    Is that to stop broadcasts or something?

    Cheers

    Yeah, it pretty much guarantees you against spoofing attacks. So configuring it on the untrusted interface inbound, will protect you against those attacks originating from those IP's.

    And you mean:

    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any

    right?
    Studying for CCNP (All done)
  • rakemrakem Member Posts: 800
    kpjungle wrote: »
    Yeah, it pretty much guarantees you against spoofing attacks. So configuring it on the untrusted interface inbound, will protect you against those attacks originating from those IP's.

    And you mean:

    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any

    right?

    Yea.... forgot the IP.

    So you wouldn't configure something like that on the inside (trusted interface) as it would pretty much block all out going traffic right?
    CCIE# 38186
    showroute.net
  • cowood2676cowood2676 Member Posts: 27 ■□□□□□□□□□
    You are correct the deny ip host 255.255.255.255 any. It is for broadcast traffic but not just any broadcast traffic. By default a router will stop any broadcast traffic...unless you have an ip-helper set up for DHCP. In the case that you have a helper set up, the router will send the broadcast out to the specified address as a unicast packet with the a tag as 255.255.255.255 to specify that it is a DHCP request. This line is to keep DHCP spoofing or exhaustion from occurring. You would not use it if you expect to receive any DHCP on that port.
  • kpjunglekpjungle Member Posts: 426
    cowood2676 wrote: »
    You are correct the deny ip host 255.255.255.255 any. It is for broadcast traffic but not just any broadcast traffic. By default a router will stop any broadcast traffic...unless you have an ip-helper set up for DHCP. In the case that you have a helper set up, the router will send the broadcast out to the specified address as a unicast packet with the a tag as 255.255.255.255 to specify that it is a DHCP request. This line is to keep DHCP spoofing or exhaustion from occurring. You would not use it if you expect to receive any DHCP on that port.

    In this case, the 255.255.255.255 is the source address, so packets comming from a source with the broadcast stated as the source address (for example a denial of service attack), will be blocked.
    Studying for CCNP (All done)
Sign In or Register to comment.