01-11-2014 12:09 AM - edited 03-04-2019 10:02 PM
Hello,
I'd be grateful if someone could share template or enlighten me on what kind of config I should be applying to an Internet router in terms of hardening and routing policies. These routers will have BGP peering with the ISP. And also have OSPF neighborship with ASA's to redistribute the default route downstream towards the internal network.
We will be expecting a default route from the ISP with tweaked MED values. We will be advertising out 3 address ranges. We also want to apply QoS inbound so that all external traffic coming inbound does not saturate our 1Gb internet pipe and still leaves enough bandwidth outbound. Obviously I dont want this to effect the BGP peering or the OSPF neighborships upstream and downstream respectively.
Thank you
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
01-11-2014 08:00 AM
Here's what I do-
https://supportforums.cisco.com/people/Collin_Clark/blog/2013/11/08/control-plane-protection-cppr
https://supportforums.cisco.com/people/Collin_Clark/blog/2013/07/15/public-internet-facing-acl
https://supportforums.cisco.com/docs/DOC-38522
http://www.packetpros.com/2012/08/copp-on-routers.html
Additionally and for BGP specifically
Password with the ISP
prefix-list filters for inbound and outbound routes
Finally here's my cut sheet for general security:
no service pad
no service config
no service finger
no ip icmp redirect
no ip bootp server
no ip finger
no ip gratuitous-arps
no ip source-route
service sequence-numbers
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
password encryption aes
no ip bootp server
no ip domain lookup
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:archive-config/
write-memory
time-period 86400
memory reserve critical 4096
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
kron occurrence SAVE_CONFIG_SCHED at 23:59 Fri recurring
policy-list SAVE_CONFIG_WEEKLY
kron policy-list SAVE_CONFIG_WEEKLY
cli write mem
line vty 0 4
session-timeout 10
exec-timeout 30 0
logging synchronous
transport input ssh
transport output none
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler max-task-time 5000
scheduler allocate 20000 1000
login block-for 300 attempts 6 within 60
access-list 1330 permit [management devices] log
login quiet-mode access-class 1330
login on-failure log
login on-success log
login delay 5
Under the interfaces-
no ip redirects
no ip unreachables
no ip proxy-arp
no ip information-reply
no ip mask-reply
ip options drop
I also create a management VRF. There are of course misc items like AAA, logging, banner, access classes, NTP, SSH etc. On a recent job I did create a VRF specifically for BGP and left the global routing for management. I've been meaning to put all this together so I'll try and do that, then post the URL for future visitors.
*Note that the ASR does not yet support (even though it was roadmapped, grrr) object groups for ACL's.
01-12-2014 03:52 AM
Hello Collin, thanks for your reply.. interested in the public internet ACLs and the BGP filters, is there an example including filtering bogons...
Cant get to these btw...
https://supportforums.cisco.com/people/Collin_Clark/blog/2013/11/08/control-plane-protection-cppr
https://supportforums.cisco.com/people/Collin_Clark/blog/2013/07/15/public-internet-facing-acl
It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.
Thank you
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
01-11-2014 08:23 AM
As far QoS inbound...I'm curious what others are doing. I recently had a customer (a school) that had a DDoS attack of flooded traffic. All the traffic had the same destination IP and port. The port wasn't a well-known so it was a traffic flood DDoS. Gigs of traffic was being sent. All that we could do was call the ISP and ask them to police that traffic. That worked, but we can't rely on out ISPs to continuously filter/police/shape all the DDoS stuff we see. I hope there is a solution out there that I don't know about. By the time traffic gets to our edge, there isn't much we can do (for traffic floods at least).
01-12-2014 03:56 AM
This is a worry... Actually primarily we were worried about the incoming - returning traffic from user web browsing to be a big hitter and need to allow for our hosted services to still be available.
Anyone out there got any ideas please share!
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
01-12-2014 11:05 AM
Shaping outgoing traffic will probably best "control" the amount of traffic coming back in. However downloads and streaming can eat up your bandwidth. You could shape/police those inbound as well. NBAR would be very helpful with the QoS policy.
01-12-2014 10:44 AM
Control plane policy ofcourse
Bgp md5
Tacacs
Syslog
An agreement with your upstream provider on blackhoke destination and source routing advertisements and urpf .
Also an inbound acl filtering the private addresses as source spoofed from the internet
And what tge others said :)
Sent from Cisco Technical Support iPhone App
01-12-2014 11:02 AM
I built the document. Check it out here https://supportforums.cisco.com/docs/DOC-39394
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide