CCIE Security V4 Technology Labs  Section 2: Threat

Identification and Mitigation


Implementing RFC 2827 Anti-Spoofing
Filtering
Last updated: May 3, 2013

Task
You own the network of 136.1.0.0/8; ensure bidirectional RFC2827 filtering on R3's connection to
ASA4.
Each security policy violation should be logged.
Configure the router so that when viewing a log message, you can identify the name and line of the
access-list from which it was generated.

Overview
RFC 2827 defines a filtering mechanism based on your internally assigned IPv4 address space, to
ensure a basic form of security. Traffic leaving your network should have source IPv4 addresses only
from your address space, and traffic entering your network should have any source IPv4 addresses
except the ones you own. Usually these filters are applied at the edge of the network, so that it
doesn't impact your internal network traffic but still drops inbound spoofed traffic as soon as
possible.

Syslog messages can be tagged using router random-generated MD5 hash values, or user-defined
cookies. The advantage of cookies is that you can specify a more meaningful tag value, such as
matching the access-list name and the access-list entry to help you on troubleshooting scenarios.

Note that user-defined cookies take precedence over router MD5-hash-generated values; if both
options are configured, there will be no MD5-hash-generated value for access-lists with cookies.

Configuration
R3:
 ip access-list extended RFC2827_IN
deny ip 136.1.0.0 0.255.255.255 any log RFC2827_IN_LINE1
permit ip any any
!
ip access-list extended RFC2827_OUT
permit ip 136.1.0.0 0.255.255.255 any
deny ip any any log RFC2827_OUT_LINE2
!
interface FastEthernet0/0.143
ip access-group RFC2827_IN in
ip access-group RFC2827_OUT out
!
ip access-list log-update threshold 1

Verification
Verify that the access-list is applied correctly inbound on R3's interface.

Rack1R3#show ip access-lists RFC2827_IN

Extended IP access list RFC2827_IN
10 deny ip 136.1.0.0 0.255.255.255 any log (tag = RFC2827_IN_LINE1)
20 permit ip any any (661 matches)
!
!
Rack1R3#show ip access-lists RFC2827_OUT
Extended IP access list RFC2827_OUT
10 permit ip 136.1.0.0 0.255.255.255 any
20 deny ip any any log (tag = RFC2827_OUT_LINE2)
!
!
Rack1R3#show ip interface fastEthernet 0/0.143 | i RFC
Outgoing access list is RFC2827_OUT
Inbound access list is RFC2827_IN

Ensure that non-conforming packets are logged and messages are tagged using the access-list
name. For this, we generate packets from the SW1, sourced from the internal 136.0.0.0/8 IPv4
address range.
Rack1SW1#ping 172.1.143.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.1.143.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
!
!
Rack1SW1#ping 172.1.143.3 source loopback1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.1.143.3, timeout is 2 seconds:
Packet sent with a source address of 136.7.7.7
.....
Success rate is 0 percent (0/5)
!
!
Rack1R3#show ip access-lists RFC2827_IN
Extended IP access list RFC2827_IN
10 deny ip 136.0.0.0 0.255.255.255 any log (5 matches) (tag = RFC2827_IN_LINE
1)
20 permit ip any any (14 matches)
!
!
Rack1R3#show logging | i RFC2827_IN
%SEC-6-IPACCESSLOGDP: list RFC2827_IN denied icmp 136.7.7.7 -> 172.1.143.3 (0/0),
1 packet [RFC2827_IN_LINE1]
%SEC-6-IPACCESSLOGDP: list RFC2827_IN denied icmp 136.7.7.7 -> 172.1.143.3 (0/0),
1 packet [RFC2827_IN_LINE1]
%SEC-6-IPACCESSLOGDP: list RFC2827_IN denied icmp 136.7.7.7 -> 172.1.143.3 (0/0),
1 packet [RFC2827_IN_LINE1]
%SEC-6-IPACCESSLOGDP: list RFC2827_IN denied icmp 136.7.7.7 -> 172.1.143.3 (0/0),
1 packet [RFC2827_IN_LINE1]
%SEC-6-IPACCESSLOGDP: list RFC2827_IN denied icmp 136.7.7.7 -> 172.1.143.3 (0/0),
1 packet [RFC2827_IN_LINE1]