cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2157
Views
5
Helpful
3
Replies

Cisco 4331 - ACL using Object Group

utawakevou
Enthusiast
Enthusiast

Hi,

I’ve got two Cisco 4331 as my border routers participating in eBGP and iBGP. I’ve got an extended IP ACL as anti-spoofing configured to block incoming RFC 1918, APIPA and our prefix.

 

With my syslog and netflow analyser we’ve notice connectivity that are not supposed to come in via the border routers, so we are planning to create another ACL using object-groups. We’ve got a fair idea on trusted source and destination address and services.

 

What I’ve done so far is creating multiple object groups and using meshed group objects so I can have only 3 object groups such as Trusted_Source, Trusted_Destination, Trusted_Service

 

Been trying to get the ACL using these object groups in multiple ways but it seems like it can’t accept it. I tried two object groups in the current extended IP ACL, and it works.

 

Just need assistance with creating a one line or 2 ACL using object groups so that only trusted source to trusted destination for trusted services is allowed in. The rest is dropped. We can then update individual object groups as the need arise

 

Any help will be really appreciated

3 Replies 3

Milos_Jovanovic
VIP Collaborator VIP Collaborator
VIP Collaborator

Hi @utawakevou,

Please take a look at this Cisco config guide, and this blog.

BR,

Milos

Much appreciated @Milos_Jovanovic. Going through the documents I've come up with this two liner ACL and manage to configure

 

ip access-list extended INBOUND
5 permit tcp host x.x.x.x(remote WAN interface address) host x.x.x.x(local WAN interface address) eq bgp log-input
10 permit object-group Trusted_Inbound_Service (all object group for protocols/ports to be allowed in) object-group External_Trusted_Endpoints (all object group network/hosts address to be allowed in) object-group Internal_Endpoints (all internal hosts address) log-input

 

Do note all object groups used above are nested groups and I'm just concentrating on INBOUND and the WAN interface. Any further thoughts or comments that'll help or benefit our configuration will be highly appreciated

 

Thanks

 

This looks ok.

However, I would advise to remove 'log-input' at the end. If you enable logging on ACL, processing doesn't go through hardware anymore, and it needs to be processed on CPU level so it can cause CPU spikes (at least that is how older platforms worked).

BR,

Milos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers