08-16-2021 05:44 PM
Hi,
I’ve got two Cisco 4331 as my border routers participating in eBGP and iBGP. I’ve got an extended IP ACL as anti-spoofing configured to block incoming RFC 1918, APIPA and our prefix.
With my syslog and netflow analyser we’ve notice connectivity that are not supposed to come in via the border routers, so we are planning to create another ACL using object-groups. We’ve got a fair idea on trusted source and destination address and services.
What I’ve done so far is creating multiple object groups and using meshed group objects so I can have only 3 object groups such as Trusted_Source, Trusted_Destination, Trusted_Service
Been trying to get the ACL using these object groups in multiple ways but it seems like it can’t accept it. I tried two object groups in the current extended IP ACL, and it works.
Just need assistance with creating a one line or 2 ACL using object groups so that only trusted source to trusted destination for trusted services is allowed in. The rest is dropped. We can then update individual object groups as the need arise
Any help will be really appreciated
08-17-2021 12:10 AM
08-17-2021 08:08 PM
Much appreciated @Milos_Jovanovic. Going through the documents I've come up with this two liner ACL and manage to configure
ip access-list extended INBOUND
5 permit tcp host x.x.x.x(remote WAN interface address) host x.x.x.x(local WAN interface address) eq bgp log-input
10 permit object-group Trusted_Inbound_Service (all object group for protocols/ports to be allowed in) object-group External_Trusted_Endpoints (all object group network/hosts address to be allowed in) object-group Internal_Endpoints (all internal hosts address) log-input
Do note all object groups used above are nested groups and I'm just concentrating on INBOUND and the WAN interface. Any further thoughts or comments that'll help or benefit our configuration will be highly appreciated
Thanks
08-17-2021 10:42 PM
This looks ok.
However, I would advise to remove 'log-input' at the end. If you enable logging on ACL, processing doesn't go through hardware anymore, and it needs to be processed on CPU level so it can cause CPU spikes (at least that is how older platforms worked).
BR,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide