Protecting the Basement Using ACLs
In an accomplishment to assure switches and routers from assorted risks—both adventitious and
malicious—infrastructure-protection ACLs charge to be deployed at arrangement admission points.
These ACLs abjure admission from alien sources to all basement addresses, such as
router interfaces. At the aforementioned time, these ACLs admittance accepted alteration cartage to flow
uninterrupted through the infrastructure. A accepted set of ACLs consists of filtering
addresses that accept no business entering the network. Those are, for example, addresses
defined in RFC 1918 and RFC 3330.
Data accustomed by a router can be disconnected into two ample categories:
• Cartage that passes through the about-face or router
• Cartage destined to the about-face or router
In accustomed operations, the all-inclusive majority of cartage flows through the basement to reach
its ultimate destination. However, several cases abide area the router processor or switch
processor (RP/SP) charge anon handle data, best conspicuously acquisition protocols, alien router
access (such as Secure Shell [SSH]), and arrangement administration cartage (such as Simple
Network Administration Protocol [SNMP]). In addition, protocols such as ICMP and IP
options can crave absolute processing by the RP/SP. Best often, absolute admission to the
infrastructure should be acceptable alone back it’s accomplished from centralized sources. There are
a few notable exceptions, such as Border Gateway Protocol (BGP) peering; protocols that
terminate on the RP/SP, such as all-encompassing acquisition encapsulation [GRE]; and potentially
262 Chapter 16: Wire Speed Admission Ascendancy Lists
limited ICMP packets for connectivity testing, such as echo-request or ICMP unreachables
and Time to Live (TTL) asleep letters for able traceroute operation.
NOTE ICMP is generally acclimated for simple DoS attacks; it should alone be acceptable from external
sources, if necessary.
Although the abstracts even of best switches can handle millions and millions of packets per
second, the aforementioned does not authority accurate as far as the ascendancy even is concerned. The abstracts plane
is usually fabricated up of ASICs congenital to about-face packets from one anchorage to addition as fast as
possible. The ascendancy plane, on the added hand, is generally comprised of all-encompassing all-purpose
processors. Excessive cartage destined to the ascendancy even can calmly beat the switch,
which causes aerial CPU acceptance that ultimately after-effects in causeless and unpredictable
behavior. By clarification admission to basement accessories from alien sources, many
external risks associated with a absolute about-face or router advance are mitigated. Externally
sourced attacks can no best admission basement equipment. Archetype 16-1 shows a
common admission ambit clarification ACL.
Example 16-1 IPv4 Basement Aegis ACL
!--- Anti-spoofing entries first
!--- Abjure special-use abode sources.
!--- Refer to RFC 3330 for added appropriate use addresses.
access-list 100 abjure ip host 0.0.0.0 any
access-list 100 abjure ip 127.0.0.0 0.255.255.255 any
access-list 100 abjure ip 192.0.2.0 0.0.0.255 any
access-list 100 abjure ip 224.0.0.0 31.255.255.255 any
!--- Filter RFC 1918 space.
access-list 100 abjure ip 10.0.0.0 0.255.255.255 any
access-list 100 abjure ip 172.16.0.0 0.15.255.255 any
access-list 100 abjure ip 192.168.0.0 0.0.255.255 any
!--- Abjure your IP amplitude as antecedent from entering your network.
access-list 100 abjure ip YOUR_IP_RANGE any
!--- Admittance BGP.
access-list 100 admittance tcp host bgp_peer host router_ip eq bgp
access-list 100 admittance tcp host bgp_peer eq bgp host router_ip
!--- Abjure admission to centralized basement addresses.
access-list 100 abjure ip any INTERNAL_INFRASTRUCTURE_ADDRESSES
!--- Admittance alteration traffic.
access-list 100 admittance ip any any
RACL, VACL, and PACL: Many Types of ACLs 263
The ACL in Archetype 16-1 provides a acceptable starting arrangement for basement protection.
Naturally, adapt it to fit your arrangement environment. For added advice on applying
ingress ACLs, see RFC 2267.