02-02-2006 11:20 PM - edited 03-03-2019 01:41 AM
If I applied the ACL below as the inbound on the interface e0/0 :
RA#config ter
RA(config-t)#access-list 10 permit 172.16.0.0
RA#(config-t)#interface fastethernet 0/0
RA(config-if)#ip access-group 10 in
Implicitly every thing will be denied,,,but does that affect an outbound traffic as well (I knew if I am sending an outbound {say A} traffic, I should expect response{Say B} to that outbound {A})?
But my question if I do not care about receiving the response (B,inbound),,,does the outbound {A} still will be able to the leave the router RA?
02-02-2006 11:32 PM
Hi Zillah,
A simple way of thinking is if any traffic hits the fa0/0 interface on your router from your lan it will be checked first before moving out of the interface.
But if any traffic is coming from different interface for suppose int fa0/1 towards your fa0/0 interface it will not be checked.
HTH
Ankur
02-03-2006 12:00 AM
My understanding to what you have been explaining that the outbound traffic in my case will still leave the router RA ,,,Am I right ?
02-03-2006 12:33 AM
Hi Zillah,
If suppose u r trying to access any thing outside your network lets say yahoo.com and from your lan and it reaches the default gateway which is your lan interface fa0/0 it will be denied.
Any traffic other then what you have allowed will be denied when it hits the fa0/0 from lan to outside world but any traffic coming from outside will be allowed.
HTH, Please rate all post
Ankur
02-03-2006 03:12 AM
Thanks Ankur
I have got another scenario from Internetwork Expert Lab to stop DoS attack:
{{A remote site with one connection to the
rest of the network.
Normally to prevent spoofed IP addresses from being sent by the remote site, an access-list is created to only permit packets with the remote sites network as the source IP address.
This access-list is applied inbound on the main sites router}}.
Let us put it as example suppose a remote site has a network address 140.16.0.0/16
Main router called CentralR,,,serial interface S0/0,,,then the configuration is :
access-list 1 permit 140.16.0.0 0.0.255.255
ip access-group 1 in----we implemented on s0/0.
Explaination:
1- If the direction of the packets from remote site (140.16.0.0) towards the main router (traffic inbound), route will accept (ACL permit) the genuine source ip address and spoofed source ip address as well, because router can not distinguish between them,,,,Am I right ?
2- Since the router can not deny the outgoing flow (outbound), because ACL has been applied for the inbound traffic only,,,,how can I reduce the impact of DoS attack ?
02-03-2006 03:31 AM
Hi Zillah,
1) Answer to your first question is YES as genuine source ip address and spoofed source ip address both will be allowed.
2) Though I am not a security guy still I rmember my security friends used to talk about some command as
ip verify unicast reverse-path
Check the link for more details
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_i2h.htm#wp1147391
Usage Guidelines
Use the ip verify unicast reverse-path interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that are received by a router. Malformed or forged source addresses can indicate denial of service (DoS) attacks on the basis of source IP address spoofing.
But this only worls if you have CEF enabled on the router.
HTH, pease rate all post.
Ankur
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide