[nsp] VLAN sub-interface ACLs - prevent spoofed packets

Terry Baranski tbaranski at mail.com
Tue Nov 11 11:18:25 EST 2003

> I'm setting up some ACLs to prevent spoofed packets passing 
> through our router.
> On a normal router port this is easy, because the in and out 
> directions are obvious. ie. Anything on an outside port 
> arriving at the port (in) should be for our subnet, and 
> anything going out on it should be from our subnet.

VLAN interfaces are the same in this regard (it confused me at first
too).  So the ACL's below look good.


> But what about 6500 style sub-interfaces? I've only ever 
> really dealt with
> 7200 style sub-interfaces before, and my heads gotten a bit 
> confused. What's
> the description of when traffic is flowing into a vlan, and when it's
> flowing out? I wasn't sure how to craft the ACLs to prevent spoofed IP
> addresses.
> To investigate I placed some "permit ip any any log-input" 
> statements on out
> LANs VLAN and recorded the ACL matches, and it discovered the 
> following.
> * The ingress ACL almost always sees traffic from addresses 
> in the LAN to
> outside addresses. But sometimes the destination isn't always 
> outside the
> LAN. There's a couple of matches to the LANs broadcast address and
> x.y.z.w -> x.y.z.9 (x.y.z.9 is the router IP address). So 
> presumably traffic
> directed at the router has to leave the VLAN? There's also the very
> occasional bit of traffic from the broadcast address to an 
> address on the
> LAN.
> * The egress ACL mostly sees traffic from outside addresses 
> to addresses in
> the LAN . However there's other destination addresses that 
> aren't in the LAN
> and some source addresses that are. Is this traffic meant to 
> be there, or is
> this the spoofed traffic I'm wanting to drop? I'm guessing it 
> _probably_ is,
> but I'm not sure, and I definately don't want to block 
> legimate traffic.
> >From the above I'm guessing the config would be something like:
> int vlan 10
>   ip access-group in-vl10 in
>   ip access-group out-vl10 out
> ip access-group extended in-vl10
>   remark Permit traffic to the router from the LAN
>   permit ip x.y.z.0/24 host x.y.z.9
>   !
>   remark Deny traffic directed at the LAN addresses
>   deny ip any x.y.z.0/24 log-input
>   !
>   remark permit Traffic from the LAN to the outside world
>   permit ip x.y.z.0/24 any
>   !
>   remark Deny and log any other traffic
>   deny ip any any log-input
> ip access-group extended out-vl10
>   remark Deny traffic claiming to have originated in our subnet
>   deny ip x.y.z.0/24 any log-input
>   !
>   remark Only allow traffic from the outside directed at our 
> LAN addresses
>   permit ip any x.y.z.0/24
>   !
>   remark Deny and log any other traffic
>   deny ip any any log-input
> Is this correct?
> Sam
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list