| Exam 300-101 | Question id=435 | Infrastructure Security |
What does the following access list, which is applied on the external interface FastEthernet 1/0 of the perimeter router, accomplish?
router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
router(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
router(config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
router(config)#access-list 101 permit ip any any
router(config)#interface fastEthernet 1/0
router(config-if)#ip access-group 101 in
| A. |
It prevents incoming traffic from IP address ranges 10.0.0.0-10.0.0.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255 and logs any intrusion attempts. | |
| B. |
It prevents the internal network from being used in spoofed denial of service attacks and logs any exit to the Internet. | |
| C. |
It filters incoming traffic from private addresses in order to prevent spoofing and logs any intrusion attempts. | |
| D. |
It prevents private internal addresses to be accessed directly from outside. |
The private IP address ranges defined in RFC 1918 are as follows:
10.0.0.0 — 10.255.255.255
172.16.0.0 — 172.31.255.255
192.168.0.0 — 192.168.255.255
These IP addresses should never be allowed from external networks into a corporate network as they would only be able to reach the network from the outside via routing problems or if the IP addresses were spoofed. This ACL is used to prevent all packets with a spoofed reserved private source IP address to enter the network. The log keyword also enables logging of this intrusion attempt.