I would say this post is dedicated to Rohit as he is the one who requested for this and also gave me some food for thought because I hardly put some configurations on blog since My major focus remains on network designing. but I must say I enjoyed doing this and will try to post configurations more often, rather I would be thankful to all of you, if you can suggest me with the configurations I should be posting.
For those who missed the security policies post - Catch It Here
So, here it goes for the Network Diagram & ACL configuration for the post we discussed last time -
 |
| eBrahma - ACL Network Diagram |
Configuration -
Router#configure terminal !Add anti-spoofing entries. !Deny special-use address sources. !Refer to RFC 3330 for additional special use addresses. Router(config)#access-list 110 deny ip 127.0.0.0 0.255.255.255 any Router(config)#access-list 110 deny ip 192.0.2.0 0.0.0.255 any Router(config)#access-list 110 deny ip 224.0.0.0 31.255.255.255 any Router(config)#access-list 110 deny ip host 255.255.255.255 any !The deny statement below should not be configured !on Dynamic Host Configuration Protocol (DHCP) relays. Router(config)#access-list 110 deny ip host 0.0.0.0 any !Filter RFC 1918 space. Router(config)#access-list 110 deny ip 10.0.0.0 0.255.255.255 any Router(config)#access-list 110 deny ip 172.16.0.0 0.15.255.255 any Router(config)#access-list 110 deny ip 192.168.0.0 0.0.255.255 any !Permit Border Gateway Protocol (BGP) to the edge router. Router(config)#access-list 110 permit tcp host bgp_peer IP gt 1023 host edge router_ip eq bgp Router(config)#access-list 110 permit tcp host bgp_peer IP eq bgp host edge router_ip gt 1023 !Deny your space as source (as noted in RFC 2827). Router(config)#access-list 110 deny ip your Internet-routable subnet any !Explicitly permit return traffic. Allow specific ICMP types. Router(config)#access-list 110 permit icmp any any echo-reply Router(config)#access-list 110 permit icmp any any unreachable Router(config)#access-list 110 permit icmp any any time-exceeded Router(config)#access-list 110 deny icmp any any !Outgoing DNS queries are shown below. Router(config)#access-list 110 permit udp any eq 53 host primary DNS server IP gt 1023 !Permit older DNS queries and replies to primary DNS server. Router(config)#access-list 110 permit udp any eq 53 host primary DNS server IP eq 53 !Permit legitimate business traffic. Router(config)#access-list 110 permit tcp any Internet-routable subnet established Router(config)#access-list 110 permit udp any range 1 1023 Internet-routable subnet gt 1023 !Internet-sourced connections to publicly accessible servers are shown below Router(config)#access-list 110 permit tcp any host public web server IP eq 80 Router(config)#access-list 110 permit tcp any host public web server IP eq 443 Router(config)#access-list 110 permit tcp any host public FTP server IP eq 21 !Data connections to the FTP server are allowed !by the permit established ACE. !Allow PASV data connections to the FTP server. Router(config)#access-list 110 permit tcp any gt 1023 host public FTP server IP gt 1023 Router(config)#access-list 110 permit tcp any host public SMTP server IP eq 25 !Explicitly deny all other traffic. Router(config)#access-list 101 deny ip any any
For those who missed the security policies post - Catch It Here
You might also like these recent post -
Voice over IP (VoIP) - Solutions Case Study - Read This
IPv6 Benefits - Its more than just larger address space - Read This
Spanning Tree Protocol (STP) - The Necessary Evil - Read This
Five Most Commonly used Networking Technologies - Read This
Understanding Five Nines of Uptime - Read This
Found it useful, Consider sharing it with your friends -