Manualshelf

Specifications

ManualsBrandsVax ManualsHousehold AppliancesTurbo Force V-060 XTX
131132133134135136137138139140
133
Caveats for Cisco IOS Release 12.0
78-6455-12
Resolved Caveats—Cisco IOS Release 12.0(3)
! Deny all multicasts, and all unspecified-net broadcasts, to port 514
access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
! Deny old-style unspecified-net broadcasts
access-list 101 deny udp any host 0.0.0.0 eq 514
! Deny network-specific broadcasts. This example assumes that all of
! the local interfaces are on the class B network 172.16.0.0, subnetted
! everywhere with mask 255.255.255.0. This will differ from network
! to network. Note that we block both new-style and old-style broadcasts.
access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514
! Deny packets sent to the addresses of our own network interfaces.
access-list 101 deny udp any host 172.16.1.1 eq 514
access-list 101 deny udp any host 172.16.2.1 eq 514
access-list 101 deny udp any host 172.16.3.3 eq 514
! Permit all other traffic (default would be to deny)
access-list 101 permit ip any any
! Apply the access list to the input side of each interface
interface ethernet 0
ip address 172.16.1.1 255.255.255.0
ip access-group 101 in
interface ethernet 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
interface ethernet 3
ip address 172.16.3.3 255.255.255.0
ip access-group 101 in
It can be complicated to list all possible addresses, and especially all possible broadcast addresses,
to which attack packets might be sent. If you do not expect to receive any legitimate syslog traffic
on an interface, you might wish to simply block all syslog traffic arriving on that interface.
Remember that this affects traffic routed through the Cisco IOS device as well as traffic destined to
the device. Input access lists have an impact on system performance, and should be installed with
a degree of caution, especially on systems that are running very near their capacity limits.
• CSCdk77654
An encryption session setup might not set up properly if the access list applied to a crypto map
includes deny statements before permit statements.
Workaround: Remove the deny statements in the access list. A ramification of the workaround is
that more packets might match the encryption policy than were originally configured.