ACL usage: Direction of traffic

September 24, 2008 at 1:53 pm | Posted in Blogroll | Leave a comment

Lab13, Task 7.1

I sometimes made stupid mistakes, e.g. when doing this task, where I overlook the directions of ACL.

Tips to avoid stupid mistakes

– Read questions carefully

– Use common sense. DoS are usually exploited by sending ICMP echo from OUTSIDE, and other ICMP responses (e.g. port unreachables, time-exceeded) generated from INSIDE.

Task requirement:

Configure R3’s interface E0/1 and R4’s interface E0/0 to reflect the following policy:

  • Deny inbound all ICMP echo (type 8) packets.
  • Deny outbound all ICMP time exceeded and port unreachable packets to stop traceroute ‘replies’.
  • Silently discard packets that are denied.
  • Log all denied packets.

Solution:
interface Ethernet0/1
ip access-group FILTER_IN in
ip access-group FILTER_OUT out
no ip unreachables
!
ip access-list extended FILTER_IN
deny icmp any any echo log
permit ip any any
!
ip access-list extended FILTER_OUT
deny icmp any any time-exceeded log
deny icmp any any port-unreachable log
permit ip any any

Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: