04 August, 2014

Access Control List

Access Control List

 The right tool for the right job.

 Vocab:
- ACL
- ACE
- VACL
- tACL (Transit)
- iACL (infrastructure)
- rACL (Receive)
! Anti-spoofing entries
R2(config)#access-list 110 deny ip host 55.44.33.195 any
R2(config)#access-list 110 deny ip host 55.44.33.200 any

 ! Deny special-use address sources
* Note:  Refer to RFC 3330 for more special use addresses [Link

 R2(config)#access-list 110 deny ip host 0.0.0.0 any
R2(config)#access-list 110 deny ip 127.0.0.0 0.255.255.255 any
R2(config)#access-list 110 deny ip 192.0.2.0 0.0.0.255 any
R2(config)#access-list 110 deny ip 224.0.0.0 31.255.255.255 any

 ! --- Filter RFC 1918 space as source
R2(config)#access-list 110 deny ip 10.0.0.0 0.255.255.255 any
R2(config)#access-list 110 deny ip 172.16.0.0 0.15.255.255 any
R2(config)#access-list 110 deny ip 192.166.0.0 0.0.255.255 any

Deny your space as source from entering your network
! Deploy only at the AS edge
R2(config)#access-list 110 deny ip 55.44.33.192 0.0.0.15 any

 ! Permit BGP
R2(config)#access-list 110 permit tcp host 12.23.34.45 host 55.44.33.195 eq bgp
R2(config)#access-list 110 permit tcp host 12.23.34.45 eq bgp host 55.44.33.195

 ! Deny access to internal infrastructure addresses
R2(config)#access-list 110 deny ip any host 55.44.33.195
R2(config)#access-list 110 deny ip any host 55.44.33.200

 ! Permit transit traffic
R2(config)#access-list 110 permit ip any any

 ! Verify Configuration

 R2(config)#do show access-list 110
Extended IP access list 110
    10 deny ip host 55.44.33.195 any
    20 deny ip host 55.44.33.200 any
    30 deny ip host 0.0.0.0 any
    40 deny ip 127.0.0.0 0.255.255.255 any
    50 deny ip 192.0.2.0 0.0.0.255 any
    60 deny ip 224.0.0.0 31.255.255.255 any
    70 deny ip 10.0.0.0 0.255.255.255 any
    80 deny ip 172.16.0.0 0.15.255.255 any
    90 deny ip 192.166.0.0 0.0.255.255 any
    100 deny ip 55.44.33.192 0.0.0.15 any
    110 permit tcp host 12.23.34.45 host 55.44.33.195 eq bgp
    120 permit tcp host 12.23.34.45 eq bgp host 55.44.33.195
    130 deny ip any host 55.44.33.195
    140 deny ip any host 55.44.33.200

    150 permit ip any any

 RFC 3330 : 
   Address Block             Present Use                       Reference
   ---------------------------------------------------------------------
   0.0.0.0/8            "This" Network                 [RFC1700, page 4]
   10.0.0.0/8           Private-Use Networks                   [RFC1918]
   14.0.0.0/8           Public-Data Networks         [RFC1700, page 181]
   24.0.0.0/8           Cable Television Networks                    
   39.0.0.0/8           Reserved but subject to allocation     [RFC1797]
   127.0.0.0/8          Loopback                       [RFC1700, page 5]
   128.0.0.0/16         Reserved but subject to allocation      
   169.254.0.0/16       Link Local                                   
   172.16.0.0/12        Private-Use Networks                   [RFC1918]
   191.255.0.0/16       Reserved but subject to allocation           
   192.0.0.0/24         Reserved but subject to allocation           
   192.0.2.0/24         Test-Net
   192.88.99.0/24       6to4 Relay Anycast                     [RFC3068]
   192.168.0.0/16       Private-Use Networks                   [RFC1918]
   198.18.0.0/15        Net Interconnect Device Benchmark Test [RFC2544]    
   223.255.255.0/24     Reserved but subject to allocation           
   224.0.0.0/4          Multicast                              [RFC3171]
   240.0.0.0/4          Reserved for Future Use        [RFC1700, page 4]
At
Tags:: , , , ,