??? Place an extended ACL as close as possible to the source of traf?¬?c that the ACL is
?¬?ltering. This is to prevent packets you know are going to be ?¬?ltered out from traveling
across your network, utilizing bandwidth.
??? Place standard ACLs as close as possible to the destination. Placing them closer to the
source may prevent legitimate packets from reaching their destinations.
Using ACLs to Filter Network Traf?¬?c to Mitigate Threats
Figure 5-12 shows the network topology for the con?¬?gurations that follow, which
demonstrate how to use ACLs to ?¬?lter network traf?¬?c to mitigate threats to your network.
Figure 5-12 Network Edge
IP Address Spoo?¬?ng: Inbound
As a rule, do not allow any IP packets that contain the source address of any internal hosts
or networks inbound to a private network.
Edge(config)#access-list 101 deny ip 10.2.1.0
0.0.0.255 any log
Denies any packet with
a source IP address of
10.2.1.x from reaching
any destination, and logs
any instance in which this
statement was used
Edge(config)#access-list 101 deny ip 127.0.0.0
0.255.255.255 any log
Denies any packet with
a source IP address of
127.x.x.x from reaching
any destination, and logs
any instance in which this
statement was used
Edge
Fa 0/0
10.
Pages:
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98