User Tools

Site Tools


master:cnd:filtering-lab

Ingress and Egress Filtering

These exercises will show important IP filtering techniques that significantly improve the security of your network, and the whole Internet, by preventing IP packets with “spoofed” source addresses to either enter or leave your AS. For a more complete explanation of these concepts, see IETF’s BCP 38 and BCP 84 documents:

http://www.ietf.org/rfc/rfc2827.txt

http://www.ietf.org/rfc/rfc3704.txt

Outbound Packet Filtering

Traffic leaving your AS should not have source addresses which do not belong in your AS:

On your Border router:

ip access-list extended to-nren
 permit ip 100.68.X.0 0.0.0.255 any
 deny ip any any
!
interface FastEthernet0/0
 ip access-group to-nren out
!

Do the same for IPv6:

ipv6 access-list to-nren-v6
 permit ipv6 2001:DB8:X::/48 any
 deny ipv6 any any
!
interface FastEthernet0/0
 ipv6 traffic-filter to-nren-v6 out
!

Inbound Packet Filtering

Traffic received from outside your campus should never be sourced from IP address space that belongs in your AS.

On your Border router:

ip access-list extended from-nren
 deny ip 100.68.X.0 0.0.0.255 any
 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group from-nren in
!

Do the same for IPv6:

ipv6 access-list extended from-nren-v6
 deny ipv6 2001:DB8:X::/48 any
 permit ipv6 any any
!
interface FastEthernet0/0
 ipv6 traffic-filter from-nren-v6 in
!

Management VLAN filtering

In the Layer2 labs, we created a management VLAN for managing the switches (SSH, SNMP, etc. ). In order to protect that network from malicious access, you will need to implement filtering at the router level.

Here we assume that the NOC subnet is 100.68.X.128/28

On your Core router:

ip access-list extended to-mgmt
 permit ip 100.68.X.128 0.0.0.15 any
 deny ip any any
!
interface FastEthernet0/1.41
 ip access-group to-mgmt out
!
interface FastEthernet1/0.42
 ip access-group to-mgmt out
!

If your core Router is a Layer 3 switch, the two management interfaces above will be VLAN 41 and VLAN 42 respectively.

Do the same for IPv6:

ipv6 access-list to-mgmt-v6
 permit ipv6 2001:db8:X:3::/64 any
 deny ipv6 any any
!
interface FastEthernet0/1.41
 ipv6 traffic-filter to-mgmt-v6 out
!
interface FastEthernet1/0.42
 ipv6 traffic-filter to-mgmt-v6 out
!

Check connectivity to the Management subnet. Are you able to access the Management addresses for the building switches from the Border and Core routers now?

What about access from the Management subnets of the switches out to the Internet? Are you able to explain to the instructors what is happening now?

master/cnd/filtering-lab.txt · Last modified: 2016/03/24 09:50 by philip