Hi Brandon RFC 2827 is specifically meant for ISP ingress filtering right?. It means more to ISP filtering unwanted source addresses from it's customers.
Ref - http://www.ietf.org/rfc/rfc3704.txt access-list 123 deny ip 0.0.0.0 0.0.0.255 any access-list 123 deny ip 10.0.0.0 0.255.255.255 any access-list 123 deny ip 127.0.0.0 0.255.255.255 any access-list 123 deny ip 172.16.0.0 0.15.255.255 any access-list 123 deny ip 192.168.0.0 0.0.255.255 any access-list 123 deny ip 224.0.0.0 15.255.255 any access-list 123 deny ip 240.0.0.0 15.255.255 any access-list 123 deny ip host 255.255.255.255 any access-list 123 deny ip host 0.0.0.0 any access-list 123 permit ip any any Added two more entries for 0.0.0.0 and 255.255.255.255 If it is implemented for the customer permiter router to block source addresses from the internet, then you need to add one more entry that blocks source addresses of your internal network. But since, the internal address will be from RFC 1918, the above should take care. If you use public addresses in your network, then we may need to add an entry. Please let me know, your thoughts. With regards Kings On Mon, Apr 26, 2010 at 8:26 PM, Brandon Carroll <[email protected]>wrote: > The RFC states that you want to filter traffic that contains source > address not legitimately in use by the customer network. > > Generally that would include 0.0.0.0/8,10.0.0.0/8,127.0.0.0/8, > 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4,and 240.0.0.0/4, but it's not > limited to these addresses. You should also include the address space in use > by the internal network. This makes sense since the address space used > internally should not be seen as the source in packets from the outside. > > As RFC 3704 states, on possible solution for this would be uRPF. If you use > uRPF you dont need to worry as much about the addresses that you use. If you > use ACLs on ingress you do. The reason you've probably seen differences in > the ACLs probably relates to the networks used in the examples. > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > Platinum Solutions Group (PSG) provides high-end consulting services with a > primary emphasis on Cisco's Data Center Solutions, Service Provider > Solutions, Unified Communications and Security-enabled infrastructures. Be > sure to visit www.platinumsolutionsgroup.com. > > > > On Apr 26, 2010, at 6:36 AM, Kingsley Charles wrote: > > Hi all > > Can someone please let me know, the addresses for RFC 2827/3704 that should > be followed. I see differences, in the way they > are implemented in various sites. > > The RFCs also does not mention specific addresses for RFC 2827/3704 as it > does for RFC 1918/3330. > > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
