Solved: what type(s) of ACL usually must be put on a Cisco L3 switch facig the Internet (infront of a FW)?

m-abooali · ‎03-14-2018

Hi,

I have a Cisco 3550 facing the Internet in front of a FW. what type(s) of generic ACLS should be configured on it? I mean is there a set of general ACLs to make sure no spoofing and other forms of attacks takes place?

thank you,

Masood

Reza Sharifi · ‎03-14-2018

Hi,

It depends on your environment but you can start with These. In addition, you probably want to block ICMP, Telnet, SSH, NTP from outside to your public IP. If you have to allow anything to access the device, it should only be SSH.

Here is also a site that abusive IP are being reported to, so you may want to block them if these IPs don't need to reach your internal network.

https://www.abuseipdb.com/

deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any l
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any

It is also a good practice to be selective in your alow list and allow any what you need to allow and no more (e.g https, HTTP, etc..).

HTH

View solution in original post

Georg Pauwen · ‎03-14-2018

Hello,

the below is usually used for anti spoofing. The last line, permit ip any any, should be replaced with your own internal IP range:

ip access-list extended ANTI_SPOOF
deny ip 10.0.0.0 0.255.255.255 --> RFC1918 Private Range
deny ip 172.16.0.0 0.15.255.255 any --> RFC1918 Private Range
deny ip 192.168.0.0 0.0.255.255 any --> RFC1918 Private Range
deny ip 224.0.0.0 31.255.255.255 any --> Multicast Range
deny ip 127.0.0.0 0.255.255.255 any --> RF3330 Loopback Range
deny ip 169.254.0.0 0.0.255.255 any --> MS Windows Loopback Range
permit ip any any

View solution in original post

Reza Sharifi · ‎03-14-2018

Then you apply the ACLs to the SVI.

HTH

View solution in original post

Reza Sharifi · ‎03-14-2018

Hi,

It depends on your environment but you can start with These. In addition, you probably want to block ICMP, Telnet, SSH, NTP from outside to your public IP. If you have to allow anything to access the device, it should only be SSH.

Here is also a site that abusive IP are being reported to, so you may want to block them if these IPs don't need to reach your internal network.

https://www.abuseipdb.com/

deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any l
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any

It is also a good practice to be selective in your alow list and allow any what you need to allow and no more (e.g https, HTTP, etc..).

HTH

Reza Sharifi · ‎03-14-2018

Also

http://www.team-cymru.org/bogon-dotted-decimal.html

HTH

m-abooali · ‎03-14-2018

Thank you.

m-abooali · ‎03-14-2018

Thanks,

Since this is a SW and WAN ckt is an Ethernet configured as truck, how do I bound access-group to such interface? Its not a normal router.

Regards,

Masood

Georg Pauwen · ‎03-14-2018

Hello,

the below is usually used for anti spoofing. The last line, permit ip any any, should be replaced with your own internal IP range:

ip access-list extended ANTI_SPOOF
deny ip 10.0.0.0 0.255.255.255 --> RFC1918 Private Range
deny ip 172.16.0.0 0.15.255.255 any --> RFC1918 Private Range
deny ip 192.168.0.0 0.0.255.255 any --> RFC1918 Private Range
deny ip 224.0.0.0 31.255.255.255 any --> Multicast Range
deny ip 127.0.0.0 0.255.255.255 any --> RF3330 Loopback Range
deny ip 169.254.0.0 0.0.255.255 any --> MS Windows Loopback Range
permit ip any any

Joseph W. Doherty · ‎03-14-2018

You could consider blocking almost all traffic from anywhere to any IP address on the switch on all interfaces. Exceptions would be for specific kinds of traffic from/to specific IPs.

For example, on the non-Internet facing interface, you might allow SSH traffic to just that interface's IP if sourced from specific IPs and/or networks.

Further examples:

int fe0
desc outside
ip address <public>
ip access-group in outside

int fe1
desc inside
ip address <private>
ip access-group in inside

ip access-list extended outside
deny ip any host <public>
deny ip any host <private>
permit ip any any

ip access-list extended outside
deny ip any host <public>
permit tcp any host <private) eq telnet
deny ip any host <private>
permit ip any any

m-abooali · ‎03-14-2018

by <private> and <public> you mean specific IP or IP range?

how about just the Internet facing interface which is trunk associated with a SVI INTERFACE.

Reza Sharifi · ‎03-14-2018

Then you apply the ACLs to the SVI.

HTH

m-abooali · ‎03-14-2018

Thank you.

best Regards,

Masood

Joseph W. Doherty · ‎03-15-2018

Well, as Reza noted, you could (and should) apply to the SVI, but again, I recommend you apply an ACL to any interface (excluding loopbacks) with an IP. The fact that an interface doesn't directly face the Internet increases the difficulty of attacking from the Internet, but it may not fully preclude it.

Also, if I didn't make in clear, such ACLs should start by denying everything, and they you're very careful with what you permit.

Although you only asked about an Internet facing interface, you should also follow other best practices to harden the device, such as disabling services not needed and/or using ACLs on services that use/allow them (like VTY, SNMP).

m-abooali · ‎03-15-2018

Thank you!

While i understand the facts you outlined, i still do not see what IPs i need to give not Internet facing ports? In what fashion? They are switchports.

Best Regard,

Joseph W. Doherty · ‎03-15-2018

Switchports don't have IPs on them, right?

SVI and/or routed ports do have IPs. Those are doorways to your device. It's those you want your first layer of defense, i.e. an ACL.

m-abooali · ‎03-15-2018

Thank you.