I would say this post is dedicated to Rohit as he is the one who requested = for this and also gave me some food for thought because I hardly put some c= onfigurations on blog since My major focus remains on network designing. bu= t I must say I enjoyed doing this and will try to post configurations more = often, rather I would be thankful to all of you, if you can suggest me with= the configurations I should be posting.
For those who missed the security policies post - Catch It Here
=20 So, here it goes for the Network Diagram & ACL configuration for the post w= e discussed last time -=20
eBrahma - ACL Network Diagram
Configuration -
Router#configure terminal !Add anti-spoofing entries. !Deny special-use address sources. !Refer to RFC 3330 for additional special use addresses. Router(config)#access-list 110 deny ip 127.0.0.0 0.255.255.255 any Router(config)#access-list 110 deny ip 192.0.2.0 0.0.0.255 any Router(config)#access-list 110 deny ip 224.0.0.0 31.255.255.255 any Router(config)#access-list 110 deny ip host 255.255.255.255 any !The deny statement below should not be configured !on Dynamic Host Configuration Protocol (DHCP) relays. Router(config)#access-list 110 deny ip host 0.0.0.0 any !Filter RFC 1918 space. Router(config)#access-list 110 deny ip 10.0.0.0 0.255.255.255 any Router(config)#access-list 110 deny ip 172.16.0.0 0.15.255.255 any Router(config)#access-list 110 deny ip 192.168.0.0 0.0.255.255 any !Permit Border Gateway Protocol (BGP) to the edge router. Router(config)#access-list 110 permit tcp host bgp_peer IP gt 1023 host edg= e router_ip eq bgp Router(config)#access-list 110 permit tcp host bgp_peer IP eq bgp host edge router_ip gt 1023 !Deny your space as source (as noted in RFC 2827). Router(config)#access-list 110 deny ip your Internet-routable subnet any !Explicitly permit return traffic. Allow specific ICMP types. Router(config)#access-list 110 permit icmp any any echo-reply Router(config)#access-list 110 permit icmp any any unreachable Router(config)#access-list 110 permit icmp any any time-exceeded Router(config)#access-list 110 deny icmp any any !Outgoing DNS queries are shown below. Router(config)#access-list 110 permit udp any eq 53 host primary DNS server= IP gt 1023 !Permit older DNS queries and replies to primary DNS server. Router(config)#access-list 110 permit udp any eq 53 host primary DNS server= IP eq 53 !Permit legitimate business traffic. Router(config)#access-list 110 permit tcp any Internet-routable subnet esta= blished Router(config)#access-list 110 permit udp any range 1 1023 Internet-routabl= e subnet gt 1023 !Internet-sourced connections to publicly accessible servers are shown belo= w Router(config)#access-list 110 permit tcp any host public web server IP eq =
80 Router(config)#access-list 110 permit tcp any host public web server IP eq = 443 Router(config)#access-list 110 permit tcp any host public FTP server IP eq = 21 !Data connections to the FTP server are allowed !by the permit established ACE. !Allow PASV data connections to the FTP server. Router(config)#access-list 110 permit tcp any gt 1023 host public FTP serve= r IP gt 1023 Router(config)#access-list 110 permit tcp any host public SMTP server IP eq= 25 !Explicitly deny all other traffic. Router(config)#access-list 101 deny ip any any=20=20
For those who missed the security policies post - Catch It Here
=20
You might also like these recent post -=20
Voice over IP (VoIP) - Solutions Case Study - Read This IPv6 Benefits - Its more than just larger address space - Read This Spanning Tree Protocol (STP) - The Necessary Evil - Read This Five Most Commonly used Networking Technologies - Read This Understanding Five Nines of Uptime - Read This
for more -