«

I would say this post is dedicated to Rohit as he is the one who requested for this and also gave me some food for thought because I hardly put some configurations on blog since My major focus remains on network designing. but I must say I enjoyed doing this and will try to post configurations more often, rather I would be thankful to all of you, if you can suggest me withthe configurations I should be posting.

For those who missed the security policies post - Catch It Here


So, here it goes for the Network Diagram & ACL configuration for the post we discussed last time -


eBrahma - ACL Network Diagram


Configuration -


Router#configure terminal
!Add anti-spoofing entries.
!Deny special-use address sources.
!Refer to RFC 3330 for additional special use addresses.
Router(config)#access-list 110 deny ip 127.0.0.0 0.255.255.255 any
Router(config)#access-list 110 deny ip 192.0.2.0 0.0.0.255 any
Router(config)#access-list 110 deny ip 224.0.0.0 31.255.255.255 any
Router(config)#access-list 110 deny ip host 255.255.255.255 any
!The deny statement below should not be configured
!on Dynamic Host Configuration Protocol (DHCP) relays.
Router(config)#access-list 110 deny ip host 0.0.0.0 any
!Filter RFC 1918 space.
Router(config)#access-list 110 deny ip 10.0.0.0 0.255.255.255 any
Router(config)#access-list 110 deny ip 172.16.0.0 0.15.255.255 any
Router(config)#access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!Permit Border Gateway Protocol (BGP) to the edge router.
Router(config)#access-list 110 permit tcp host bgp_peer IP gt 1023 host edge
router_ip eq bgp
Router(config)#access-list 110 permit tcp host bgp_peer IP eq bgp host edge
router_ip gt 1023
!Deny your space as source (as noted in RFC 2827).
Router(config)#access-list 110 deny ip your Internet-routable subnet any
!Explicitly permit return traffic. Allow specific ICMP types.
Router(config)#access-list 110 permit icmp any any echo-reply
Router(config)#access-list 110 permit icmp any any unreachable
Router(config)#access-list 110 permit icmp any any time-exceeded
Router(config)#access-list 110 deny icmp any any
!Outgoing DNS queries are shown below.
Router(config)#access-list 110 permit udp any eq 53 host primary DNS serverIP gt
1023
!Permit older DNS queries and replies to primary DNS server.
Router(config)#access-list 110 permit udp any eq 53 host primary DNS serverIP eq 53
!Permit legitimate business traffic.
Router(config)#access-list 110 permit tcp any Internet-routable subnet established
Router(config)#access-list 110 permit udp any range 1 1023 Internet-routable subnet
gt 1023
!Internet-sourced connections to publicly accessible servers are shown below
Router(config)#access-list 110 permit tcp any host public web server IP eq 80
Router(config)#access-list 110 permit tcp any host public web server IP eq 443
Router(config)#access-list 110 permit tcp any host public FTP server IP eq 21
!Data connections to the FTP server are allowed
!by the permit established ACE.
!Allow PASV data connections to the FTP server.
Router(config)#access-list 110 permit tcp any gt 1023 host public FTP server IP gt
1023
Router(config)#access-list 110 permit tcp any host public SMTP server IP eq25
!Explicitly deny all other traffic.
Router(config)#access-list 101 deny ip any any



For those who missed the security policies post - Catch It Here



You might also like these recent post -

Voice over IP (VoIP) - Solutions Case Study - Read This
IPv6 Benefits - Its more than just larger address space - Read This
Spanning Tree Protocol (STP) - The Necessary Evil - Read This
Five Most Commonly used Networking Technologies - Read This
Understanding Five Nines of Uptime - Read This

for more - http://www.ebrahma.com