[nsp] VLAN sub-interface ACLs - prevent spoofed packets

Sam Stickland sam_ml at spacething.org
Tue Nov 11 07:53:08 EST 2003 

Hi,

I'm setting up some ACLs to prevent spoofed packets passing through our
router.

On a normal router port this is easy, because the in and out directions are
obvious. ie. Anything on an outside port arriving at the port (in) should be
for our subnet, and anything going out on it should be from our subnet.

But what about 6500 style sub-interfaces? I've only ever really dealt with
7200 style sub-interfaces before, and my heads gotten a bit confused. What's
the description of when traffic is flowing into a vlan, and when it's
flowing out? I wasn't sure how to craft the ACLs to prevent spoofed IP
addresses.

To investigate I placed some "permit ip any any log-input" statements on out
LANs VLAN and recorded the ACL matches, and it discovered the following.

* The ingress ACL almost always sees traffic from addresses in the LAN to
outside addresses. But sometimes the destination isn't always outside the
LAN. There's a couple of matches to the LANs broadcast address and
x.y.z.w -> x.y.z.9 (x.y.z.9 is the router IP address). So presumably traffic
directed at the router has to leave the VLAN? There's also the very
occasional bit of traffic from the broadcast address to an address on the
LAN.

* The egress ACL mostly sees traffic from outside addresses to addresses in
the LAN . However there's other destination addresses that aren't in the LAN
and some source addresses that are. Is this traffic meant to be there, or is
this the spoofed traffic I'm wanting to drop? I'm guessing it _probably_ is,
but I'm not sure, and I definately don't want to block legimate traffic.

>From the above I'm guessing the config would be something like:

int vlan 10
  ip access-group in-vl10 in
  ip access-group out-vl10 out

ip access-group extended in-vl10
  remark Permit traffic to the router from the LAN
  permit ip x.y.z.0/24 host x.y.z.9
  !
  remark Deny traffic directed at the LAN addresses
  deny ip any x.y.z.0/24 log-input
  !
  remark permit Traffic from the LAN to the outside world
  permit ip x.y.z.0/24 any
  !
  remark Deny and log any other traffic
  deny ip any any log-input

ip access-group extended out-vl10
  remark Deny traffic claiming to have originated in our subnet
  deny ip x.y.z.0/24 any log-input
  !
  remark Only allow traffic from the outside directed at our LAN addresses
  permit ip any x.y.z.0/24
  !
  remark Deny and log any other traffic
  deny ip any any log-input

Is this correct?

Sam

More information about the cisco-nsp mailing list