[nsp] VLAN sub-interface ACLs - prevent spoofed packets

Matthew Crocker matthew at crocker.com
Tue Nov 11 12:44:04 EST 2003

A good way to think about is a 6500 is really a switch with an internal 
router.  VLAN interfaces are created in the router portion of the 
chassis.  Packets traveling from the switch part INTO the router part 
use the inbound ACL.  Packets then travel through the router and back 
out to the switch using the outbound ACL


On Nov 11, 2003, at 7:53 AM, Sam Stickland wrote:

> Hi,
> I'm setting up some ACLs to prevent spoofed packets passing through our
> router.
> On a normal router port this is easy, because the in and out 
> directions are
> obvious. ie. Anything on an outside port arriving at the port (in) 
> should be
> for our subnet, and anything going out on it should be from our subnet.
> But what about 6500 style sub-interfaces? I've only ever really dealt 
> with
> 7200 style sub-interfaces before, and my heads gotten a bit confused. 
> What's
> the description of when traffic is flowing into a vlan, and when it's
> flowing out? I wasn't sure how to craft the ACLs to prevent spoofed IP
> addresses.
> To investigate I placed some "permit ip any any log-input" statements 
> on out
> LANs VLAN and recorded the ACL matches, and it discovered the 
> following.
> * The ingress ACL almost always sees traffic from addresses in the LAN 
> to
> outside addresses. But sometimes the destination isn't always outside 
> the
> LAN. There's a couple of matches to the LANs broadcast address and
> x.y.z.w -> x.y.z.9 (x.y.z.9 is the router IP address). So presumably 
> traffic
> directed at the router has to leave the VLAN? There's also the very
> occasional bit of traffic from the broadcast address to an address on 
> the
> LAN.
> * The egress ACL mostly sees traffic from outside addresses to 
> addresses in
> the LAN . However there's other destination addresses that aren't in 
> the LAN
> and some source addresses that are. Is this traffic meant to be there, 
> or is
> this the spoofed traffic I'm wanting to drop? I'm guessing it 
> _probably_ is,
> but I'm not sure, and I definately don't want to block legimate 
> traffic.
>> From the above I'm guessing the config would be something like:
> int vlan 10
>   ip access-group in-vl10 in
>   ip access-group out-vl10 out
> ip access-group extended in-vl10
>   remark Permit traffic to the router from the LAN
>   permit ip x.y.z.0/24 host x.y.z.9
>   !
>   remark Deny traffic directed at the LAN addresses
>   deny ip any x.y.z.0/24 log-input
>   !
>   remark permit Traffic from the LAN to the outside world
>   permit ip x.y.z.0/24 any
>   !
>   remark Deny and log any other traffic
>   deny ip any any log-input
> ip access-group extended out-vl10
>   remark Deny traffic claiming to have originated in our subnet
>   deny ip x.y.z.0/24 any log-input
>   !
>   remark Only allow traffic from the outside directed at our LAN 
> addresses
>   permit ip any x.y.z.0/24
>   !
>   remark Deny and log any other traffic
>   deny ip any any log-input
> Is this correct?
> Sam
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
Matthew S. Crocker
Crocker Communications, Inc.
Vice President
PO BOX 710
Greenfield, MA 01302

P: 413-746-2760
F: 413-746-3704
W: http://www.crocker.com
E: matthew at crocker.com

More information about the cisco-nsp mailing list