Router security features
4.2.b i IPv6 Traffic Filters
General information on “IPv6 Traffic Filters”:
- IPv6 supports only one ACL type which is comparable to IPv4 extended ACLs
- IPv6 traffic filter must be named, no numbering possible
- Keywords:
- gt = greater than
- eq = equal
- lt = lower than
- neq = not equal
- range = port range
- ACLs only affect transit traffic, not local originating traffic
- ICMPv6 should be explicitly allowed or else it will break address resolution since IPv6 uses ICMPv6 (compared to IPv4 which uses layer 2 ARP)
“IPv6 Traffic Filters” CLI configuration commands:
## Defining an IPv6 ACL
Router(config)# ipv6 access-list [ACL NAME]
Router(config-ipv6-acl)# [permit | deny] [protocol] [source-ipv6-prefix | any | host source-ipv6-address] [dest-ipv6-prefix | any | host dest-ipv6-addr] [operator port]
## Applying an IPv6 ACL to an interface
Router(config)# interface <if>
Router(config-if)# ipv6 traffic-filter [ACL NAME] [in | out]
“IPv6 Traffic Filters” CLI show commands:
## Showing currently configured IPv6 ACLs
Router# show ipv6 access-lists
4.2.b ii IPv4 Access Control Lists
General Information on “IPv4 Access Control Lists”:
- Two types of ACLs:
- Standard: Permit/Deny only, Source address only
- Extended: Permit/deny + protocol, Source/destination address
- Standard range (numbered): 1-99, 1300-1999
- Extended range (numbered): 100-199, 2000-2699
- Extended range keywords:
- gt = greater than
- eq = equal
- lt = lower than
- Can either be numbered or named
- Can be inbound or outbound on a port
- Implicit “deny any” at the end of every ACL ACLs only affect transit traffic, not local originating traffic
“IPv4 Access Control Lists” CLI configuration commands:
## Defining an IPv4 standard ACL
Router(config)# ip access-list standard [1-99 | 1300-1999 | WORD]
Router(config-std-nacl)# [permit | deny] [source-ip | any] [mask] [log]
## Defining an IPv4 extended ACL
Router(config)# ip access-list extended [100-199 | 2000-2699 | WORD]
Router(config-std-nacl)# [permit | deny] [protocol] [source-ip | any] [mask] [dest-ip | any] [mask] [log]
## Defining a time range for ACLs
Router(config)# time-range <tr-name>
Router(config-time-range)# absolute start <hh:mm> [day] [month] [year] end <hh:mm> [day] [month] [year]
Router(config-time-range)# periodic [days] <hh:mm> to <hh:mm>
## Defining an IPv4 extended ACL with a time range
Router(config)# ip access-list extended [100-199 | 2000-2699 | WORD]
Router(config-std-nacl)# [permit | deny] [protocol] [source-ip | any] [mask] [dest-ip | any] [mask] [log] time-range <tr-name>
## Applying an IPv4 ACL to an interface
Router(config)# interface <if>
Router(config-if)# ip access-group [ACL NAME | ACL NUMBER] [in | out]
“IPv4 Access Control Lists” CLI configuration commands:
## Showing currently configured IPv4 ACLs
Router# show ip access-lists
4.2.b iii Unicast Reverse Path Forwarding
General Information on “Unicast Reverse Path Forwarding”:
- Also known as uRPF
- Defined in RFC 3704
- Without uRPF: Router checks destination address of a packet only and forwards it
- With uRPF: Router checks destination address AND source address of a packet before forwarding it
- Two uRPF modes available:
- Loose (keyword any): Checks if the source address route exists in the routing table. Also known as route existence check. Packet gets always routed if there’s a default route available.
- Strict (keyword rx): Checks if the packet is received on the same interface the router would use to send back the answer packet. Asymmetric routing gets effectively disabled.
- Relies on CEF (enabled by default on Cisco routers) and the FIB created by CEF
- Configured on an interface basis
- Optionally an ACL can be applied:
- If the packet fails uRPF the ACL will be examined
- If there’s a permit statement it will be forwarded anyway
- If there’s a deny statement it will be finally dropped
- Failed uRPF packets are always logged even if they were permitted by an ACL
“Unicast Reverse Path Forwarding” CLI configuration commands:
## Enable uRPF on an interface
Router(config)# interface <if>
Router(config-if)# ip verify unicast source reachable-via [any | rx] <acl-name>
“Unicast Reverse Path Forwarding” CLI show commands:
## Showing how many packets uRPF has dropped
Router# show ip traffic
## Showing if uRPF is enabled on a specific interface
Router# show cef interface <if>