Posts from ‘IOS Firewall’
INE is proud to announce the upcoming release of our new CCIE Security Advanced Technologies Class and CCIE Security 5-Day Bootcamp. The 5-Day Bootcamp will be available in streaming and download format starting this weekend, followed shortly by the Advanced Technologies class. Both of these video series are included with the All Access Pass subscriptions, or can be purchased as standalone downloads. Samples of both classes are available below.
Hello to all our faithful blog readers, I hope this post find you very well, and enjoying your studies!
Access list tasks are a common CCIE Lab Exam feature, and I wanted to take a moment to show how easy it can be for a candidate to miss one thing or many things in such a task.
Here is the task topology and the task itself. Following that we have the proposed solution by a Mock Student
Can you find the errors in his or her ways?
8.1 Configure a security filter on R3 that will accomplish the following for traffic entering the router from the direction of R2:
- Allow Telnet from R2 (S0/1) to R1 (Lo1)
- Allow BGP traffic through the router
- Allow ICMP ping traffic between R1 (Lo1) and R2 (Lo1)
- Block any traffic sourced from RFC 1918 addresses – log these violations and include Layer 2 address information
The Proposed Solution
access-list 100 permit tcp host 22.214.171.124 eq telnet host 192.168.100.1 eq telnet
access-list 100 permit tcp any any eq bgp
access-list 100 permit icmp host 126.96.36.199 host 192.168.100.1
access-list 100 permit icmp host 192.168.100.1 host 188.8.131.52
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.0.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
ip access-group 100 in
NOTE: I have posted a solution to this blog in the comments. The solution post date is November 20th, 2008.
What in the world is a bogon? It is a source address that should not appear in an IP packet on an interface that faces the public Internet. A very famous example of a bogon address would be the Private IP address space, as defined in RFC 1918. This address space is as follows:
What would be another example of a bogon address? How about the “link-local” addresses that a system will use to communicate on the local link in the event of DHCP failure. This address space is 169.254.0.0/16.
So bogons consist of special use addresses and any other portions of the address space that has not been allocated for public use. This list of addresses is not static, and does change over time. These addresses are excellent entries in your filters (access control lists) for interfaces that face the Internet.
What is a convenient place to learn of the bogon addresses you should be most concerned with as a CCIE candidate? Well, it is none other than an RFC. It is RFC 3330. It is an excellent RFC that summarizes many of the other RFCs detailing special use address space. You can find RFC 3330 here: