Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Ingress filtering how to setup?

Posted on 2001-07-03
7
Medium Priority
?
2,360 Views
Last Modified: 2010-10-05
What is the command to configure ingress filtering for Cisco router?

Let say your internal network IP is
131.144.4.0

WAN--se0/0----router----eth0/0--- LAN 131.144.4.0


0
Comment
Question by:bluepet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6253776
It depends on what you are trying to filter.  The "access-list" command will allow you to set both standard and extended access lists on the router.
0
 
LVL 3

Author Comment

by:bluepet
ID: 6254067
Ah I just found out how

ingress filtering is done in all new cisco routers

sh run
...
no ip directed-broadcast
...

for 3Com it's
setd -ip cont=nofwdSubnetBcast
..


engress filtering on the other hand is as follow

# config t
config# access-list extended permit ip 131.144.4.0 0.0.0.255 any

config# access-list extended deny ip any any
then configure for access group at interface eth0

config# int eth0
config if# ip access-group 100 in

:)

I however still have no idea about how to do engress filtering for 3com...

can someone help here..









0
 
LVL 79

Accepted Solution

by:
lrmoore earned 136 total points
ID: 6255374
I don't think that "no ip directed broadcase" on your interface qualifies as an ingress filter. It is outgoing only. Ingress filters can only be applied through access-lists. Your example of an access list applied is incorrect.
Here are some good examples for Cisco of ingress filters (keeping the bad stuff out):

http://www.pasadena.net/cisco/secure.html

http://www.sans.org/infosecFAQ/firewall/blocking_cisco.htm





0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Assisted Solution

by:svindler
svindler earned 132 total points
ID: 6316566
lrmoore's links looks good. You really should read them through.
Here are some more:
http://www.cisco.com/warp/public/707/21.html
http://www.insecure.org/news/P55-10.txt

To sum it up, you make an access-list that deny all private addresses and your own addresses to originate from the internet. Then you apply this access-list as inbound on the interface closest to the internet.

A basic ingress filter, that only guards against spoofed packets, can be made using a standard access-list:

router(config)#access-list 11 deny 111.111.111.0 0.0.0.255 (or whatever your public ip range is)
router(config)#access-list 11 deny 10.0.0.0 0.255.255.255
router(config)#access-list 11 deny 127.0.0.0 0.255.255.255
router(config)#access-list 11 deny 172.16.0.0 0.15.255.255
router(config)#access-list 11 deny 192.168.0.0 0.0.255.255
router(config)#access-list 11 deny 224.0.0.0 15.255.255.255
router(config)#access-list 11 deny host 0.0.0.0
router(config)#int s0/0 (or whatever your external interface is)
router(config-if)# ip access group 11 in
0
 
LVL 4

Expert Comment

by:svindler
ID: 6316576
Oops, just noticed that you actually had provided the external interface and the public ip addresses. The example should then read:
router(config)#access-list 11 deny 131.144.4.0 0.0.0.255 (assuming a class C network)
router(config)#access-list 11 deny 10.0.0.0 0.255.255.255
router(config)#access-list 11 deny 127.0.0.0 0.255.255.255
router(config)#access-list 11 deny 172.16.0.0 0.15.255.255
router(config)#access-list 11 deny 192.168.0.0 0.0.255.255
router(config)#access-list 11 deny 224.0.0.0 15.255.255.255
router(config)#access-list 11 deny host 0.0.0.0
router(config)#int s0/0
router(config-if)# ip access group 11 in
0
 
LVL 4

Assisted Solution

by:jwalsh88
jwalsh88 earned 132 total points
ID: 6372021
svindler,

you forgot one line
router(config)#access-list 11 permit any

bluepet, that should be the last access-list entry.
otherwise svindler's access-list would block all inbound traffic, from the internet, with the implied deny any rule.


0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9706103
Hey people,

No comment has been added in roughly 2 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts split between Irmoore, svindler and jwalsh88.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question