Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
13
Replies

what type(s) of ACL usually must be put on a Cisco L3 switch facig the Internet (infront of a FW)?

Go to solution
m-abooali
Level 4
Level 4

‎03-14-2018 09:39 AM - edited ‎03-08-2019 02:15 PM

Hi,

 

I have a Cisco 3550 facing the Internet in front of a FW. what type(s) of generic ACLS should be configured on it? I mean is there a set of general ACLs to make sure no spoofing and other forms of attacks takes place?

 

thank you,

 

Masood

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-14-2018 10:42 AM - edited ‎03-14-2018 10:44 AM

Hi,

It depends on your environment but you can start with These. In addition, you probably want to block ICMP, Telnet, SSH, NTP from outside to your public IP. If you have to allow anything to access the device, it should only be SSH.

Here is also a site that abusive IP are being reported to, so you may want to block them if these IPs don't need to reach your internal network.

https://www.abuseipdb.com/

deny ip 192.0.2.0 0.0.0.255 any 
deny ip 127.0.0.0 0.255.255.255 any 
deny ip 224.0.0.0 31.255.255.255 any l
deny ip 10.0.0.0 0.255.255.255 any 
deny ip 172.16.0.0 0.15.255.255 any 
deny ip 192.168.0.0 0.0.255.255 any 

It is also a good practice to be selective in your alow list and allow any what you need to allow and no more (e.g https, HTTP, etc..).

HTH

View solution in original post

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎03-14-2018 10:46 AM

Hello,

 

the below is usually used for anti spoofing. The last line, permit ip any any, should be replaced with your own internal IP range:

 

ip access-list extended ANTI_SPOOF
deny ip 10.0.0.0 0.255.255.255 --> RFC1918 Private Range
deny ip 172.16.0.0 0.15.255.255 any --> RFC1918 Private Range
deny ip 192.168.0.0 0.0.255.255 any --> RFC1918 Private Range
deny ip 224.0.0.0 31.255.255.255 any --> Multicast Range
deny ip 127.0.0.0 0.255.255.255 any --> RF3330 Loopback Range
deny ip 169.254.0.0 0.0.255.255 any --> MS Windows Loopback Range
permit ip any any

View solution in original post

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to m-abooali

‎03-14-2018 10:56 AM

Then you apply the ACLs to the SVI.

HTH

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-14-2018 10:42 AM - edited ‎03-14-2018 10:44 AM

Hi,

It depends on your environment but you can start with These. In addition, you probably want to block ICMP, Telnet, SSH, NTP from outside to your public IP. If you have to allow anything to access the device, it should only be SSH.

Here is also a site that abusive IP are being reported to, so you may want to block them if these IPs don't need to reach your internal network.

https://www.abuseipdb.com/

deny ip 192.0.2.0 0.0.0.255 any 
deny ip 127.0.0.0 0.255.255.255 any 
deny ip 224.0.0.0 31.255.255.255 any l
deny ip 10.0.0.0 0.255.255.255 any 
deny ip 172.16.0.0 0.15.255.255 any 
deny ip 192.168.0.0 0.0.255.255 any 

It is also a good practice to be selective in your alow list and allow any what you need to allow and no more (e.g https, HTTP, etc..).

HTH

0 Helpful

Go to solution
m-abooali
Level 4
Level 4
In response to Reza Sharifi

‎03-14-2018 10:49 AM

Thank you.


0 Helpful

Go to solution
m-abooali
Level 4
Level 4
In response to Reza Sharifi

‎03-14-2018 10:47 AM

Thanks,





Since this is a SW and WAN ckt is an Ethernet configured as truck, how do I bound access-group to such interface? Its not a normal router.



Regards,



Masood


0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎03-14-2018 10:46 AM

Hello,

 

the below is usually used for anti spoofing. The last line, permit ip any any, should be replaced with your own internal IP range:

 

ip access-list extended ANTI_SPOOF
deny ip 10.0.0.0 0.255.255.255 --> RFC1918 Private Range
deny ip 172.16.0.0 0.15.255.255 any --> RFC1918 Private Range
deny ip 192.168.0.0 0.0.255.255 any --> RFC1918 Private Range
deny ip 224.0.0.0 31.255.255.255 any --> Multicast Range
deny ip 127.0.0.0 0.255.255.255 any --> RF3330 Loopback Range
deny ip 169.254.0.0 0.0.255.255 any --> MS Windows Loopback Range
permit ip any any

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-14-2018 10:49 AM

You could consider blocking almost all traffic from anywhere to any IP address on the switch on all interfaces. Exceptions would be for specific kinds of traffic from/to specific IPs.

For example, on the non-Internet facing interface, you might allow SSH traffic to just that interface's IP if sourced from specific IPs and/or networks.

Further examples:

int fe0
desc outside
ip address <public>
ip access-group in outside

int fe1
desc inside
ip address <private>
ip access-group in inside

ip access-list extended outside
deny ip any host <public>
deny ip any host <private>
permit ip any any

ip access-list extended outside
deny ip any host <public>
permit tcp any host <private) eq telnet
deny ip any host <private>
permit ip any any
0 Helpful

Go to solution
m-abooali
Level 4
Level 4
In response to Joseph W. Doherty

‎03-14-2018 10:52 AM

by <private> and <public> you mean specific IP or IP range?

how about just the Internet facing interface which is trunk associated with a SVI INTERFACE.
0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to m-abooali

‎03-14-2018 10:56 AM

Then you apply the ACLs to the SVI.

HTH

0 Helpful

Go to solution
m-abooali
Level 4
Level 4
In response to Reza Sharifi

‎03-14-2018 10:57 AM

Thank you.

 

best Regards,

 

Masood

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to m-abooali

‎03-15-2018 03:02 AM

Well, as Reza noted, you could (and should) apply to the SVI, but again, I recommend you apply an ACL to any interface (excluding loopbacks) with an IP. The fact that an interface doesn't directly face the Internet increases the difficulty of attacking from the Internet, but it may not fully preclude it.

Also, if I didn't make in clear, such ACLs should start by denying everything, and they you're very careful with what you permit.

Although you only asked about an Internet facing interface, you should also follow other best practices to harden the device, such as disabling services not needed and/or using ACLs on services that use/allow them (like VTY, SNMP).
0 Helpful

Go to solution
m-abooali
Level 4
Level 4
In response to Joseph W. Doherty

‎03-15-2018 06:27 AM

Thank you!

While i understand the facts you outlined, i still do not see what IPs i need to give not Internet facing ports? In what fashion? They are switchports.

Best Regard,
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to m-abooali

‎03-15-2018 06:53 AM

Switchports don't have IPs on them, right?

SVI and/or routed ports do have IPs. Those are doorways to your device. It's those you want your first layer of defense, i.e. an ACL.
0 Helpful

Go to solution
m-abooali
Level 4
Level 4
In response to Joseph W. Doherty

‎03-15-2018 07:19 AM

Thank you.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card