Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2581
Views
5
Helpful
3
Replies

Cisco 4331 - ACL using Object Group

utawakevou
Level 4
Level 4

‎08-16-2021 05:44 PM

Hi,

I’ve got two Cisco 4331 as my border routers participating in eBGP and iBGP. I’ve got an extended IP ACL as anti-spoofing configured to block incoming RFC 1918, APIPA and our prefix.

 

With my syslog and netflow analyser we’ve notice connectivity that are not supposed to come in via the border routers, so we are planning to create another ACL using object-groups. We’ve got a fair idea on trusted source and destination address and services.

 

What I’ve done so far is creating multiple object groups and using meshed group objects so I can have only 3 object groups such as Trusted_Source, Trusted_Destination, Trusted_Service

 

Been trying to get the ACL using these object groups in multiple ways but it seems like it can’t accept it. I tried two object groups in the current extended IP ACL, and it works.

 

Just need assistance with creating a one line or 2 ACL using object groups so that only trusted source to trusted destination for trusted services is allowed in. The rest is dropped. We can then update individual object groups as the need arise

 

Any help will be really appreciated

Labels:
0 Helpful
3 Replies 3

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-17-2021 12:10 AM

Hi @utawakevou,

Please take a look at this Cisco config guide, and this blog.

BR,

Milos

utawakevou
Level 4
Level 4
In response to Milos_Jovanovic

‎08-17-2021 08:08 PM

Much appreciated @Milos_Jovanovic. Going through the documents I've come up with this two liner ACL and manage to configure

 

ip access-list extended INBOUND
5 permit tcp host x.x.x.x(remote WAN interface address) host x.x.x.x(local WAN interface address) eq bgp log-input
10 permit object-group Trusted_Inbound_Service (all object group for protocols/ports to be allowed in) object-group External_Trusted_Endpoints (all object group network/hosts address to be allowed in) object-group Internal_Endpoints (all internal hosts address) log-input

 

Do note all object groups used above are nested groups and I'm just concentrating on INBOUND and the WAN interface. Any further thoughts or comments that'll help or benefit our configuration will be highly appreciated

 

Thanks

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to utawakevou

‎08-17-2021 10:42 PM

This looks ok.

However, I would advise to remove 'log-input' at the end. If you enable logging on ACL, processing doesn't go through hardware anymore, and it needs to be processed on CPU level so it can cause CPU spikes (at least that is how older platforms worked).

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents