Mark, RFC 2827 are meant for ISPs to have an ingress filter that would filter the bogon addresses from their users. But you can do the same on your perimeter routers that connect your corporate network to the Internet which would get the same result.
The ingress filter should be applied to interface which is connected to the inside network not internet. In that case, why would we need an outbound filter? In today's world having RFC 2827 filter on internet interface is required too :-) With regards Kings On Tue, Feb 1, 2011 at 7:00 AM, Mark Senteza <[email protected]>wrote: > Thanks for pointing that out Kings i.e. "RFC 2827 is for ingress > filtering". I think the keyword "ingress" says it all. Nevertheless, would > my solution (for lab exam purposes) be complete if I left out the outbound > filter, since after all the inbound filter completes the ingress filtering. > Just want to be sure that I am understanding this correct. > > > On Mon, Jan 31, 2011 at 12:11 AM, Kingsley Charles < > [email protected]> wrote: > >> RFC 2827 is an ingress filter. Adding it as outbound is an advantage. You >> can add the RFC 3330 addresses too. >> >> When you use NAT and private address for the inner network, you should >> deny that network in the outbound ACL. >> >> With regards >> Kings >> >> On Mon, Jan 31, 2011 at 9:30 AM, Mark Senteza <[email protected]>wrote: >> >>> Hey all >>> >>> When securing your router according to RFC 2827 for the lab exam, would >>> it be a good idea to configure both an inbound and an outbound ACL, as in >>> the configuration below, or just an inbound ACL. >>> >>> The configuration assumes the following: >>> - interface fa0/0 is the unsecure interface >>> - the following public range is used internally too - 184.1.0.0/16 >>> >>> ip access-list ext INBOUND >>> deny ip 10.0.0.0 0.255.255.255 any >>> deny ip 172.16.0.0 0.15.255.255 any >>> deny ip 192.168.0.0 0.0.255.255 any >>> deny ip 184.1.0.0 0.0.255.255 any >>> permit ip any any >>> >>> >>> ip access-list ext OUTBOUND >>> permit ip 10.0.0.0 0.255.255.255 any >>> permit ip 172.16.0.0 0.15.255.255 any >>> permit ip 192.168.0.0 0.0.255.255 any >>> permit ip 184.1.0.0 0.0.255.255 any >>> deny ip any any >>> >>> interface fa 0/0 >>> ip access-group INBOUND in >>> ip access-group OUTBOUND out >>> >>> >>> Thanks, >>> >>> Mark >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
