ACL usage: Direction of traffic

September 24, 2008 at 1:53 pm | Posted in Blogroll | Leave a comment

Lab13, Task 7.1

I sometimes made stupid mistakes, e.g. when doing this task, where I overlook the directions of ACL.

Tips to avoid stupid mistakes

– Read questions carefully

– Use common sense. DoS are usually exploited by sending ICMP echo from OUTSIDE, and other ICMP responses (e.g. port unreachables, time-exceeded) generated from INSIDE.

Task requirement:

Configure R3’s interface E0/1 and R4’s interface E0/0 to reflect the following policy:

  • Deny inbound all ICMP echo (type 8) packets.
  • Deny outbound all ICMP time exceeded and port unreachable packets to stop traceroute ‘replies’.
  • Silently discard packets that are denied.
  • Log all denied packets.

interface Ethernet0/1
ip access-group FILTER_IN in
ip access-group FILTER_OUT out
no ip unreachables
ip access-list extended FILTER_IN
deny icmp any any echo log
permit ip any any
ip access-list extended FILTER_OUT
deny icmp any any time-exceeded log
deny icmp any any port-unreachable log
permit ip any any


Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at
Entries and comments feeds.

%d bloggers like this: