Internet Router ASR1K - Hardening & QoSs, Routing Policies

Bilal Nawaz · ‎01-11-2014

Hello,

I'd be grateful if someone could share template or enlighten me on what kind of config I should be applying to an Internet router in terms of hardening and routing policies. These routers will have BGP peering with the ISP. And also have OSPF neighborship with ASA's to redistribute the default route downstream towards the internal network.

We will be expecting a default route from the ISP with tweaked MED values. We will be advertising out 3 address ranges. We also want to apply QoS inbound so that all external traffic coming inbound does not saturate our 1Gb internet pipe and still leaves enough bandwidth outbound. Obviously I dont want this to effect the BGP peering or the OSPF neighborships upstream and downstream respectively.

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Collin Clark · ‎01-11-2014

Here's what I do-

https://supportforums.cisco.com/people/Collin_Clark/blog/2013/11/08/control-plane-protection-cppr

https://supportforums.cisco.com/people/Collin_Clark/blog/2013/07/15/public-internet-facing-acl

https://supportforums.cisco.com/docs/DOC-38522

http://www.packetpros.com/2012/08/copp-on-routers.html

Additionally and for BGP specifically

Password with the ISP

prefix-list filters for inbound and outbound routes

Finally here's my cut sheet for general security:

no service pad

no service config

no service finger

no ip icmp redirect

no ip bootp server

no ip finger

no ip gratuitous-arps

no ip source-route

service sequence-numbers

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

password encryption aes

no ip bootp server

no ip domain lookup

archive

log config

logging enable

logging size 200

notify syslog contenttype plaintext

hidekeys

path flash:archive-config/

write-memory

time-period 86400

memory reserve critical 4096

ip tcp synwait-time 5

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

kron occurrence SAVE_CONFIG_SCHED at 23:59 Fri recurring

policy-list SAVE_CONFIG_WEEKLY

kron policy-list SAVE_CONFIG_WEEKLY

cli write mem

line vty 0 4

session-timeout 10

exec-timeout 30 0

logging synchronous

transport input ssh

transport output none

exception memory ignore overflow processor

exception memory ignore overflow io

scheduler max-task-time 5000

scheduler allocate 20000 1000

login block-for 300 attempts 6 within 60
access-list 1330 permit [management devices] log
login quiet-mode access-class 1330
login on-failure log
login on-success log
login delay 5

Under the interfaces-

no ip redirects

no ip unreachables

no ip proxy-arp

no ip information-reply

no ip mask-reply

ip options drop

I also create a management VRF. There are of course misc items like AAA, logging, banner, access classes, NTP, SSH etc. On a recent job I did create a VRF specifically for BGP and left the global routing for management. I've been meaning to put all this together so I'll try and do that, then post the URL for future visitors.

*Note that the ASR does not yet support (even though it was roadmapped, grrr) object groups for ACL's.

Bilal Nawaz · ‎01-12-2014

Hello Collin, thanks for your reply.. interested in the public internet ACLs and the BGP filters, is there an example including filtering bogons...

Cant get to these btw...

https://supportforums.cisco.com/people/Collin_Clark/blog/2013/11/08/control-plane-protection-cppr

https://supportforums.cisco.com/people/Collin_Clark/blog/2013/07/15/public-internet-facing-acl

It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Collin Clark · ‎01-11-2014

As far QoS inbound...I'm curious what others are doing. I recently had a customer (a school) that had a DDoS attack of flooded traffic. All the traffic had the same destination IP and port. The port wasn't a well-known so it was a traffic flood DDoS. Gigs of traffic was being sent. All that we could do was call the ISP and ask them to police that traffic. That worked, but we can't rely on out ISPs to continuously filter/police/shape all the DDoS stuff we see. I hope there is a solution out there that I don't know about. By the time traffic gets to our edge, there isn't much we can do (for traffic floods at least).

Bilal Nawaz · ‎01-12-2014

This is a worry... Actually primarily we were worried about the incoming - returning traffic from user web browsing to be a big hitter and need to allow for our hosted services to still be available.

Anyone out there got any ideas please share!

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Collin Clark · ‎01-12-2014

Shaping outgoing traffic will probably best "control" the amount of traffic coming back in. However downloads and streaming can eat up your bandwidth. You could shape/police those inbound as well. NBAR would be very helpful with the QoS policy.

mitra dray · ‎01-12-2014

Control plane policy ofcourse
Bgp md5
Tacacs
Syslog

An agreement with your upstream provider on blackhoke destination and source routing advertisements and urpf .

Also an inbound acl filtering the private addresses as source spoofed from the internet

And what tge others said :)

Sent from Cisco Technical Support iPhone App

Collin Clark · ‎01-12-2014

I built the document. Check it out here https://supportforums.cisco.com/docs/DOC-39394