Thanks for pointing that out Kings i.e. "RFC 2827 is for ingress filtering". I think the keyword "ingress" says it all. Nevertheless, would my solution (for lab exam purposes) be complete if I left out the outbound filter, since after all the inbound filter completes the ingress filtering. Just want to be sure that I am understanding this correct.
On Mon, Jan 31, 2011 at 12:11 AM, Kingsley Charles < [email protected]> wrote: > RFC 2827 is an ingress filter. Adding it as outbound is an advantage. You > can add the RFC 3330 addresses too. > > When you use NAT and private address for the inner network, you should deny > that network in the outbound ACL. > > With regards > Kings > > On Mon, Jan 31, 2011 at 9:30 AM, Mark Senteza <[email protected]>wrote: > >> Hey all >> >> When securing your router according to RFC 2827 for the lab exam, would it >> be a good idea to configure both an inbound and an outbound ACL, as in the >> configuration below, or just an inbound ACL. >> >> The configuration assumes the following: >> - interface fa0/0 is the unsecure interface >> - the following public range is used internally too - 184.1.0.0/16 >> >> ip access-list ext INBOUND >> deny ip 10.0.0.0 0.255.255.255 any >> deny ip 172.16.0.0 0.15.255.255 any >> deny ip 192.168.0.0 0.0.255.255 any >> deny ip 184.1.0.0 0.0.255.255 any >> permit ip any any >> >> >> ip access-list ext OUTBOUND >> permit ip 10.0.0.0 0.255.255.255 any >> permit ip 172.16.0.0 0.15.255.255 any >> permit ip 192.168.0.0 0.0.255.255 any >> permit ip 184.1.0.0 0.0.255.255 any >> deny ip any any >> >> interface fa 0/0 >> ip access-group INBOUND in >> ip access-group OUTBOUND out >> >> >> Thanks, >> >> Mark >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
