User Tools

Site Tools


2016:nsrc-tein-mmren:filtering-lab

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

2016:nsrc-tein-mmren:filtering-lab [2016/05/01 08:50] (current)
philip created
Line 1: Line 1:
 +====== Ingress and Egress Filtering ======
 +
 +These exercises will show important IP filtering techniques that significantly improve the security of your network, and the whole Internet, by preventing IP packets with “spoofed” source addresses to either enter or leave your AS.  For a more complete explanation of these concepts, see IETF’s BCP 38 and BCP 84 documents:
 +
 +http://​www.ietf.org/​rfc/​rfc2827.txt
 +
 +http://​www.ietf.org/​rfc/​rfc3704.txt
 +
 +===== Outbound Packet Filtering =====
 +Traffic leaving your AS should not have source addresses which do not belong in your AS:
 +
 +On your Border router:
 +
 +  ip access-list extended to-nren
 +   ​permit ip 100.68.X.0 0.0.0.255 any
 +   deny ip any any
 +  !
 +  interface FastEthernet0/​0
 +   ip access-group to-nren out
 +  !
 + 
 +Do the same for IPv6:
 +
 +  ipv6 access-list to-nren-v6
 +   ​permit ipv6 2001:​DB8:​X::/​48 any
 +   deny ipv6 any any
 +  !
 +  interface FastEthernet0/​0
 +   ipv6 traffic-filter to-nren-v6 out
 +  !
 +
 +===== Inbound Packet Filtering =====
 +
 +Traffic received from outside your campus should never be sourced from IP address space that belongs in your AS.
 +
 +On your Border router:
 +
 +  ip access-list extended from-nren
 +   deny ip 100.68.X.0 0.0.0.255 any
 +   ​permit ip any any
 +  !
 +  interface GigabitEthernet0/​0
 +   ip access-group from-nren in
 +  !
 +
 +Do the same for IPv6:
 +
 +  ipv6 access-list extended from-nren-v6
 +   deny ipv6 2001:​DB8:​X::/​48 any
 +   ​permit ipv6 any any
 +  !
 +  interface FastEthernet0/​0
 +   ipv6 traffic-filter from-nren-v6 in
 +  !
 +
 +===== Management VLAN filtering =====
 +
 +In the Layer2 labs, we created a management VLAN for managing the switches (SSH, SNMP, etc. ). In order to protect that network from malicious access, you will need to implement filtering at the router level. ​
 +
 +Here we assume that the NOC subnet is 100.68.X.128/​28
 +
 +On your Core router:
 +
 +  ip access-list extended to-mgmt
 +   ​permit ip 100.68.X.128 0.0.0.15 any
 +   deny ip any any
 +  !
 +  interface FastEthernet0/​1.41
 +   ip access-group to-mgmt out
 +  !
 +  interface FastEthernet1/​0.42
 +   ip access-group to-mgmt out
 +  !
 +
 +If your core Router is a Layer 3 switch, the two management interfaces above will be VLAN 41 and VLAN 42 respectively.
 +
 +Do the same for IPv6:
 +
 +  ipv6 access-list to-mgmt-v6
 +   ​permit ipv6 2001:​db8:​X:​3::/​64 any
 +   deny ipv6 any any
 +  !
 +  interface FastEthernet0/​1.41
 +   ipv6 traffic-filter to-mgmt-v6 out
 +  !
 +  interface FastEthernet1/​0.42
 +   ipv6 traffic-filter to-mgmt-v6 out
 +  !
 +
 +Check connectivity to the Management subnet. Are you able to access the Management addresses for the building switches from the Border and Core routers now? 
 +
 +What about access from the Management subnets of the switches out to the Internet? Are you able to explain to the instructors what is happening now?
  
2016/nsrc-tein-mmren/filtering-lab.txt · Last modified: 2016/05/01 08:50 by philip