06-24-2010 12:36 PM - edited 03-06-2019 11:44 AM
I've been asked to enter "Bogon and Maritan" blocking on our Cisco 4948. I'm somewhat familar with what the addresses are but at a loss on how to create a simple ACL for them. Do you have any information of this topic? A sample configuration would be great!
Thank you,
Charlie
06-24-2010 03:40 PM
It depends on what kind of bogon information you need to block. The following addresses Martians, which are private and reserved addresses. Other bogon addresses would be netblocks that have not been allocated to a regional internet registry. A good reference site for these would be Team Cymru's Bogon Reference page at http://www.team-cymru.org/Services/Bogons/
If you are trying to defeat denial-of-service attacks where IP source addresses are spoofed using bogus numbers (refer to BCP38 or RFC2827), an ACL on the outside interface of an Internet-facing router could look something like this:
ip access-list extended ISP-IN
remark This ACL restricts traffic inbound from ISP.
remark Block bogus source IP addresses.
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark Block your own public IP numbers as source IP addresses. They shouldn't be coming in from the Internet.
deny ip xxx.xxx.xxx.xxx 0.0.0.255 any
deny ip host yyy.yyy.yyy.yyy any
remark Permit anything to authorized destination IP addresses.
permit ip any xxx.xxx.xxx.xxx 0.0.0.255
permit ip any host yyy.yyy.yyy.yyy
remark Block everything else.
deny ip any any
exit
interface Ethernet0/0
description Outside ISP connection.
ip address yyy.yyy.yyy.yyy 255.255.255.252
ip access-group ISP-IN in
exit
If you are trying to keep bogus IPs from leaving your network, an ACL on the outside interface of an Internet-facing router could look something like this:
ip access-list extended ISP-OUT
remark This ACL restricts traffic outbound to ISP.
remark Block bogus source IP addresses. These should not be leaving your network and going to the Internet.
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark Block bogus destination IP addresses. You shouldn't be trying to reach these out on the Internet.
deny ip any 0.0.0.0 0.255.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 169.254.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.0.2.0 0.0.0.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any host 255.255.255.255
deny ip any 224.0.0.0 31.255.255.255
remark Block your own public IP numbers as destination IP addresses.
deny ip any xxx.xxx.xxx.xxx 0.0.0.255
deny ip any host yyy.yyy.yyy.yyy
remark Permit anything from authorized source IP addresses.
permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
permit ip host yyy.yyy.yyy.yyy any
remark Block everything else.
deny ip any any
exit
interface Ethernet0/0
description Outside ISP connection.
ip address yyy.yyy.yyy.yyy 255.255.255.252
ip access-group ISP-IN in
ip access-group ISP-OUT out
exit
Periodically check what's being denied by running a "show ip access-list" command. If necessary, edit the ACL to log information so you can see specifics of what's being blocked. It can be useful to see what kinds of attacks you are receiving; or what kind of problems you may have inside your network, that are trying to leak out to the Internet.
If you want to keep your L3 switch from wasting time routing to bogus IPs as destinations, you can set up a Null interface and then statically route the bogus traffic to it (black-holes it with minimal CPU involvement):
interface Null0
no ip unreachables
exit
ip route 10.0.0.0 255.0.0.0 Null0 250 name RFC1918
ip route 127.0.0.0 255.0.0.0 Null0 name InternalLoopbackIPs
ip route 169.254.0.0 255.255.0.0 Null0 name AutoConfigurationIPs
ip route 172.16.0.0 255.240.0.0 Null0 250 name RFC1918
ip route 192.168.0.0 255.255.0.0 Null0 250 name RFC1918
ip route 192.0.2.0 255.255.255.0 Null0 name TestNetwork
Note that these won't keep you from routing to subnets of those RFC1918 private IP address spaces, if you are using them behind a firewall. The more-specific routes in the route tables for these will take precedence over the static routes above. But these routes will keep your L3 switch from wasting any time trying to reach any other, unconfigured, private IP networks.
Hopefully that's what you're looking for. If you need more information, like how to configure a BGP router from accepting bogon routes from other ISPs, there are several ways to do that. I'll save them for a separate post. But they basically follow the same pattern as outlined above: deny the bogus route information first, then permit the authorized route information.
06-24-2010 03:41 PM
First, here is some light reading. It will give you a sense of what truly constitutes a bogon.
http://www.team-cymru.org/Services/Bogons/
Second, after you read, see if you can come up with an efficient ACL that will block the addresses.
I'm sure some of our peers here will spot any error..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide