9.22 IPv6 Filtering

In this filtering example, I see only an incoming filter for OSPF protocol 89. Won't we also need an outgoing filter for OSPF protocol?

Can someone advise?

Regards,

Kartik

Comments

  • Any idea why they use port 43?

  • Port 43 is a typo, it should be port 53 for dns.

    So instead of

    permit udp fc00:1:0:67::/64 any eq 43

    it should be

    permit udp fc00:1:0:67::/64 any eq 53

     

    INE please review this task and make corrections.

     

     

  • Good question.  I think that it is wouldnt hurt to configure.  But to use a minimal config, it would not be necessary for ACL will not match on locally generated traffic that is outbound, only inbound.

  • Couldn't you use "eq domain" for DNS port 53 and "eq FTP" instead of the range 20 21?

  • My other confusion about this task is on the inbound filter.  For the TCP related stuff could the established keyword be used? Also wouldn't want to allow all traffic to from the link local address of s1/0?

  • yes, you can use  "eq domain"

    you must use "eq ftp" and eq "ftp-data"

     

     

    Router(config)#access-list 190 permit tcp any eq ?
      <0-65535>    Port number
      bgp          Border Gateway Protocol (179)
      chargen      Character generator (19)
      cmd          Remote commands (rcmd, 514)
      daytime      Daytime (13)
      discard      Discard (9)
      domain       Domain Name Service (53)
      drip         Dynamic Routing Information Protocol (3949)
      echo         Echo (7)
      exec         Exec (rsh, 512)
      finger       Finger (79)
      ftp          File Transfer Protocol (21)
      ftp-data     FTP data connections (20)
      gopher       Gopher (70)
      hostname     NIC hostname server (101)
      ident        Ident Protocol (113)
      irc          Internet Relay Chat (194)
      klogin       Kerberos login (543)
      kshell       Kerberos shell (544)
      login        Login (rlogin, 513)
      lpd          Printer service (515)
      nntp         Network News Transport Protocol (119)
      pim-auto-rp  PIM Auto-RP (496)
      pop2         Post Office Protocol v2 (109)
      pop3         Post Office Protocol v3 (110)
      smtp         Simple Mail Transport Protocol (25)
      sunrpc       Sun Remote Procedure Call (111)
      tacacs       TAC Access Control System (49)
      talk         Talk (517)
      telnet       Telnet (23)
      time         Time (37)
      uucp         Unix-to-Unix Copy Program (540)
      whois        Nicname (43)
      www          World Wide Web (HTTP, 80)

    Router(config)#access-list 190 permit tcp any eq

  • The task says "only FTP and HTTP traffic from the users on VLAN67 is permitted"

    For "established" keyword, I think the task  stress "only" keyword on the application on FTP and HTTP not source or destination of traffic

  • Yes that was my other pitfall on this task, it doesn't specify where the clients or servers are located, which means that you have to configure the mirror image i.e. traffic to port 80, 20,21 as a destination port and also as source ports.

  • Hi All.

    Do you not think that the direction of the ACL in the SG should be the other way.  For example,

    "permit tcp fc00:1:0:67::/64 any eq 80" should have been applied inbound and not outbound as in the SG since it's permitting TCP traffic from VLAN 67 (source) to access R3 interface (destination).

    So I think the inbound should have been applied outbound and the outbound inbound.

    Ideas would be appreciated.

  • The SG is correct.  The direction of traffic through R3 is from fa0/0 to s1/0 so we are allowing tcp traffic from vlan67 to any destination that equals port 80 outbound towards R5.  Inbound traffic tcp traffic that equals port 80 is permitted from any source to vlan67.

     

    Imagine permiting a source address of vlan67 inbound on s1/0 that would mean that the next hop to reach vlan67 is out s1/0.  It doesn't make sense because the next hop to vlan67 is out fa0/0 through SW1.

    HTH

Sign In or Register to comment.