Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Bogon and Martian blocking on L3 Switch

I've been asked to enter "Bogon and Maritan" blocking on our Cisco 4948.  I'm somewhat familar with what the addresses are but at a loss on how to create a simple ACL for them.  Do you have any information of this topic?  A sample configuration would be great!

Thank you,

Charlie

2 REPLIES
Gold

Re: Bogon and Martian blocking on L3 Switch

It depends on what kind of bogon information you need to block. The following addresses Martians, which are private and reserved addresses.  Other bogon addresses would be netblocks that have not been allocated to a regional internet registry.  A good reference site for these would be Team Cymru's Bogon Reference page at http://www.team-cymru.org/Services/Bogons/

If you are trying to defeat denial-of-service attacks where IP source addresses are spoofed using bogus numbers (refer to BCP38 or RFC2827), an ACL on the outside interface of an Internet-facing router could look something like this:

ip access-list extended ISP-IN

remark This ACL restricts traffic inbound from ISP.

remark Block bogus source IP addresses.
deny   ip 0.0.0.0 0.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
remark Block your own public IP numbers as source IP addresses.  They shouldn't be coming in from the Internet.
deny   ip xxx.xxx.xxx.xxx 0.0.0.255 any

deny   ip host yyy.yyy.yyy.yyy any

remark Permit anything to authorized destination IP addresses.

permit ip any xxx.xxx.xxx.xxx 0.0.0.255

permit ip any host yyy.yyy.yyy.yyy

remark Block everything else.
deny   ip any any

exit

interface Ethernet0/0

description Outside ISP connection.

ip address yyy.yyy.yyy.yyy 255.255.255.252

ip access-group ISP-IN in

exit

If you are trying to keep bogus IPs from leaving your network, an ACL on the outside interface of an Internet-facing router could look something like this:

ip access-list extended ISP-OUT

remark This ACL restricts traffic outbound to ISP.

remark Block bogus source IP addresses.  These should not be leaving your network and going to the Internet.
deny   ip 0.0.0.0 0.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
remark Block bogus destination IP addresses.  You shouldn't be trying to reach these out on the Internet.
deny   ip any 0.0.0.0 0.255.255.255
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 127.0.0.0 0.255.255.255
deny   ip any 169.254.0.0 0.0.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.0.2.0 0.0.0.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip any host 255.255.255.255
deny   ip any 224.0.0.0 31.255.255.255
remark Block your own public IP numbers as destination IP addresses.
deny   ip any xxx.xxx.xxx.xxx 0.0.0.255

deny   ip any host yyy.yyy.yyy.yyy

remark Permit anything from authorized source IP addresses.

permit ip xxx.xxx.xxx.xxx 0.0.0.255 any

permit ip host yyy.yyy.yyy.yyy any

remark Block everything else.
deny   ip any any

exit

interface Ethernet0/0

description Outside ISP connection.

ip  address yyy.yyy.yyy.yyy 255.255.255.252

ip access-group ISP-IN  in

ip access-group ISP-OUT out

exit

Periodically check what's being denied by running a "show ip access-list" command.  If necessary, edit the ACL to log information so you can see specifics of what's being blocked.  It can be useful to see what kinds of attacks you are receiving; or what kind of problems you may have inside your network, that are trying to leak out to the Internet.

If you want to keep your L3 switch from wasting time routing to bogus IPs as destinations, you can set up a Null interface and then statically route the bogus traffic to it (black-holes it with minimal CPU involvement):

interface Null0

no ip unreachables

exit

ip route 10.0.0.0 255.0.0.0 Null0 250 name RFC1918

ip route 127.0.0.0 255.0.0.0 Null0 name InternalLoopbackIPs

ip route 169.254.0.0 255.255.0.0 Null0 name AutoConfigurationIPs

ip route 172.16.0.0 255.240.0.0 Null0 250 name RFC1918

ip route 192.168.0.0 255.255.0.0 Null0 250 name RFC1918

ip route 192.0.2.0 255.255.255.0 Null0 name TestNetwork

Note that these won't keep you from routing to subnets of those RFC1918 private IP address spaces, if you are using them behind a firewall.  The more-specific routes in the route tables for these will take precedence over the static routes above.  But these routes will keep your L3 switch from wasting any time trying to reach any other, unconfigured, private IP networks.

Hopefully that's what you're looking for.  If you need more information, like how to configure a BGP router from accepting bogon routes from other ISPs, there are several ways to do that.  I'll save them for a separate post.  But they basically follow the same pattern as outlined above: deny the bogus route information first, then permit the authorized route information.

Gold

Re: Bogon and Martian blocking on L3 Switch

First, here is some light reading. It will give you a sense of what truly constitutes a bogon.

http://www.team-cymru.org/Services/Bogons/

Second, after you read, see if you can come up with an efficient ACL that will block the addresses.

I'm sure some of our peers here will spot any error..

3554
Views
5
Helpful
2
Replies
CreatePlease to create content