In this filtering example, I see only an incoming filter for OSPF protocol 89. Won't we also need an outgoing filter for OSPF protocol?
Can someone advise?
Any idea why they use port 43?
Port 43 is a typo, it should be port 53 for dns.
So instead of
permit udp fc00:1:0:67::/64 any eq 43
it should be
permit udp fc00:1:0:67::/64 any eq 53
INE please review this task and make corrections.
Good question. I think that it is wouldnt hurt to configure. But to use a minimal config, it would not be necessary for ACL will not match on locally generated traffic that is outbound, only inbound.
Couldn't you use "eq domain" for DNS port 53 and "eq FTP" instead of the range 20 21?
My other confusion about this task is on the inbound filter. For the TCP related stuff could the established keyword be used? Also wouldn't want to allow all traffic to from the link local address of s1/0?
yes, you can use "eq domain"
you must use "eq ftp" and eq "ftp-data"
Router(config)#access-list 190 permit tcp any eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) drip Dynamic Routing Information Protocol (3949) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) nntp Network News Transport Protocol (119) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80)
Router(config)#access-list 190 permit tcp any eq
The task says "only FTP and HTTP traffic from the users on VLAN67 is permitted"
For "established" keyword, I think the task stress "only" keyword on the application on FTP and HTTP not source or destination of traffic
Yes that was my other pitfall on this task, it doesn't specify where the clients or servers are located, which means that you have to configure the mirror image i.e. traffic to port 80, 20,21 as a destination port and also as source ports.
Do you not think that the direction of the ACL in the SG should be the other way. For example,
"permit tcp fc00:1:0:67::/64 any eq 80" should have been applied inbound and not outbound as in the SG since it's permitting TCP traffic from VLAN 67 (source) to access R3 interface (destination).
So I think the inbound should have been applied outbound and the outbound inbound.
Ideas would be appreciated.
The SG is correct. The direction of traffic through R3 is from fa0/0 to s1/0 so we are allowing tcp traffic from vlan67 to any destination that equals port 80 outbound towards R5. Inbound traffic tcp traffic that equals port 80 is permitted from any source to vlan67.
Imagine permiting a source address of vlan67 inbound on s1/0 that would mean that the next hop to reach vlan67 is out s1/0. It doesn't make sense because the next hop to vlan67 is out fa0/0 through SW1.