Security Infrastructure ACLs
Table of Contents
Introduction
Infrastructure ACLs are usually set inbound on ingress from outside of the network. Their main goal is to protect the SP network. This document goes over the guidelines of deploying them.
Infrastructure ACLs
- Deny access from external resources to all IPv4 or IPv6 addresses such as router loopbacks.
- Transit packets are permitted, only packets destined to the network's infrastructure are blocked.
- Protecting infrastructure resources includes:
- router/switch loopbacks and management interface.
- router to router links such as point to point or multiaccess
- Infrastructure protection is achieved using some of these techniques:
- Receive ACLs (rACLs)
- Hop-by-Hop Router ACLs
- Edge filtering via infrastructure ACLs
- Receive ACLs (rACLs)
- rACLs are a type of ACLs that is available on Cisco 1200 and 7500 which filters only traffic to the RP and not transit traffic.
- Hop-by-Hop Router ACLs
- Regular ACL defined on interfaces.
- Can filter transit traffic if explicitly not allowed through.
- Edge filtering via infrastructure ACLs
- Regular ACL but deployed at the edges of the network toward peers and customers.
- Have to have a well designed address space to summarize infrastructure.
Filtering Traffic
- Below is an example of what to filter and allow:
- Deny spoofing protection
- Deny special use addresses like 0.0.0.0, 127.0.0.0, 192.0.0.0, 224.0.0.0 ..see RFC3300 for details.
- Deny RFC1918 address space.
- Permit BGP.
- Deny infrastructure addresses.
- Permit transit any any.
Additional Resources
Protecting Your Core: Infrastructure Protection Access Control Lists