Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Border Router ACL and Good Practices

Admittedly my question is not only subjective but your answers may also differ based on your specific network's use... but here goes:

In the past our network has just relied on the IP Firewall Feature Set of Cisco IOS. We now have a PIX 515e pair that will providing us with security, located just behind the border routers. Now that we are going to be using the PIX pair I would imagine we can safely reduce the number of ACL entries on the routers.

Web hosting and server hosting is primarily what we do - primarily http, smtp, pop3, dns and a few others is pretty much all we need. Unfortunately our current ACL has some specific entries related to clients' servers, etc, that it isn't as easy as just allowing a handful or ports and deny everything else. I think we are probably going to need to deny a handful of protcols/ip-blocks and allow everything else in (and then let the PIX pair to their work.)

What services should I explicitly block by default? What net blocks such as 10.0.0.0, 172.16.0.0, 192.168.0.0 should I block? How about Unicast Reverse Path Forwarding (we will be running BGP so I guess I'll need loose mode)? Denying our own block(s) back in.... Any other "obvious" items I should address?

I'm so used to the main external interface on these routers having a heavy ACL applied to them that it is a strange concept opening them up. I could obviously just keep my existing ACL for a while but I'd rather let the PIXs do that work. Thanks for any advice,

Hutch

4 REPLIES
Purple

Re: Border Router ACL and Good Practices

Hi Hutch,

A great starting point is the Secure IOS Template produced by the maintainers of the BOGONs list:

http://www.cymru.com/Documents/secure-ios-template.html

It has a number of IOS security features built in as well as ACLs that block bogons...

Hope that helps - pls rate the post if it does.

New Member

Re: Border Router ACL and Good Practices

Thanks for the link - I felt a little foolish posting that (very subjective) question, but this is a great start for me. Exactly what I was looking for.

Thanks,

Hutch

New Member

Re: Border Router ACL and Good Practices

Why would you route the bogons to null0 if you have them denied in a ACL already? Should you do both or one or the other? The only reason I can think of is to save on latency because the packet will not be handled by the ACL and would be routed to a black whole directly in with no way out. Could there be any issues with BGP?

Thanks,

Matthew

Re: Border Router ACL and Good Practices

The ACL is for outside host while the Null is for inside host.

209
Views
0
Helpful
4
Replies
CreatePlease to create content