Tag Archives: 5.2b

5.2.b Implement and troubleshoot router security features

5.2.b [i] IPv4 access control lists [standard, extended, time-based]

this is something that peter paluch posted on cln about the differences between route-maps, distribute lists  and acl’s.

thanks peter, i’m hijacking it… thanks for getting it out of him, sarah

Differences between ACL, Route-Maps and Distribution list – Excellent summary by Peter Paluch.

sarah Aug 2, 2015 7:37 AM


Difference between ACL , Distribution list and route map | WAN, Routing and Switching | Cisco Support Community | 5991 |…

“Let’s first talk about ACLs and route maps. ACLs, as you already know, were explained in CCNA as mechanisms to filter packets based on their properties – source and destination addresses, transport layer protocol and ports, flags and perhaps some other attributes. However, this is not the only possible use of ACLs. An ACL is basically a mechanism accepting certain input from the IOS (source, destination, protocol, port, etc.) and returning three possible results:

  • found a matching entry and the action is permit
  • found a matching entry and the action is deny
  • not found any matching entry

Now, because the ACL simply performs a matching operation and gives you a permit or deny result, you can use it in different places where some filtering based on addresses or address-like values is required. One of such applications is filtering the networks that are advertised or redistributed in routing protocols. In this case, we do not filter packets but rather, we filter the prefixes that are carried inside routing protocol’s messages.

A route-map is a generalization of ACL. In addition to the capability to match packets or prefixes and permit or deny them, it is also capable of performing certain operations that modify the router’s behavior or the attributes of these prefixes. Sometimes, a route-map is explained as an if-then-else mechanism: if some prefixes match some criteria then perform some specific action about them, else move to the next entry in the route-map.

Thus, the main differences between a route-map and an ACL are:

  • A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces, …) that are not matchable by an ACL.
  • A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can’t modify anything about them.

So to put it shortly, an ACL performs matching and filtering based on addressing information. A route-map performs matching, modification and filtering based on several types of matches, and it uses ACLs if the required matching is to be based on addressing information (it may also use other types of matches different from ACLs).

A distribution list is actually a misnomer and does not really belong here  A distribution list is really only a command that uses route-maps or ACLs to perform filtering of routing information advertised or received within a particular routing protocol. It is not a standalone filtering mechanism similar to ACLs/route-map. The relation between route-maps or ACLs and distribute lists is the same as the relation between ACLs and “ip access-groups”. An ACL is a mechanism to perform filtering while “ip access-group” is a command that uses this ACL to filter packets. In the very same way, an ACL or route-map is a mechanism to perform prefix filtering (and optional modification) while “distribute-list” is the command in the particular routing protocol’s configuration that uses this ACL or route-map to filter advertised or received prefixes.

Sometimes a confusion exists about the difference between distribute lists and redistribution. A redistribution is a process of injecting routes from a different source into a particular routing protocol. If filtering is required during this process, route-maps are used. Technically, ACLs could also be used but the Cisco command line does not support referring directly to ACLs when redistributing, so route-maps are used, and these in turn refer to ACLs to perform the actual filtering. A distribute list controls what prefixes are advertised or received within a single routing protocol, i.e. after they have been somehow injected into it, and it does not matter how.

So to sum it up – ACLs and route-maps perform matching, modification and filtering operations. Route-maps can refer to ACLs to perform matching operations based on addressing values. Both route-maps and ACLs can be referred to in a distribute-list command to filter networks advertised or received in a routing protocol. Additionally, route-map are used during redistribution to filter and modify the redistributed networks and their attributes. Route-maps also constitute the main tool used to match and modify attributes of BGP-advertised networks.

A last comment here: increasingly, the ACLs used to filter routing updates are replaced by so-called IP prefix lists. These IP prefix lists are easier to write and understand than ACLs and are evaluated more effectively when matching network prefixes. This would, however, require a totally new thread so I’m not going into that right now
Best regards,


5.2.b Implement and troubleshoot router security features

5.2.b [i] IPv4 access control lists [standard, extended, time-based]

Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a router.

Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet , on the basis of the criteria you specified within the access lists. Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.

Standard ACLs are the oldest type of ACL. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 5266).  . Kindle Edition.

Continue reading

5.2.b Implement and troubleshoot router security features

5.2.b [ii] IPv6 traffic filter

To filter incoming or outgoing IPv6 traffic on an interface, use the ipv6 traffic-filter command in interface configuration mode. To disable the filtering of IPv6 traffic on an interface, use the no form of this command.

ipv6 traffic-filter access-list-name {in | out} no ipv6 traffic-filter access-list-name

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5324-5325).  . Kindle Edition.



5.2.b Implement and troubleshoot router security features

5.2.b [iii] Unicast reverse path forwarding

Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode. Unicast RPF requires CEF to be enabled.

When administrators use Unicast RPF in strict mode , the packet must be received on the interface that the router would use to forward the return packet. Unicast RPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the router’s choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are present in the network.

When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process. Additionally, a packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An access list may also be specified that permits or denies certain source addresses in Unicast RPF loose mode.

Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic. Although asymmetric traffic flows may be of concern when deploying this feature, Unicast RPF loose mode is a scalable option for networks that contain asymmetric routing paths.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5335-5343).  . Kindle Edition.


5.2.b Implement and troubleshoot router security features

here is the laundry list of tasks from the ccna security lab manual that covers chapters 1 through 9…  i haven’t been able to find a 64 bit cisco vpn client to support windows 7, so that shit’s out the door… the first time i tried to configure easy vpn server with ccp, it crashed my router, whoops… no problem there because i really dislike ccp… however this task list is good practice for any level… i’ll keep the time… i would suggest skipping part 5 altogether and replace with this task; build a site-to-site vpn from the cli… much more rewarding… the fact is anyone who is contemplating sitting the ccie lab exam should be able to complete all these tasks in record time, right? because these are bread and butter tasks, right? right…


Part 1: Create a Basic Security Policy
 Develop a network device security guidelines document.
Part 2: Basic Network Device Configuration
 Configure hostnames, interface IP addresses, and passwords.
 Configure static routing.
Part 3: Secure Network Routers
 Configure passwords and a login banner.
 Configure SSH access and disable Telnet.
 Configure HTTP secure server access.
 Configure a synchronized time source using NTP.
 Configure router syslog support.
 Configure centralized authentication using AAA and RADIUS.
 Use Cisco IOS to disable unneeded services and secure against login attacks.
 Use CCP to disable unneeded services.
 Configure a CBAC firewall.
 Configure a ZBF firewall.
 Configure intrusion prevention system (IPS) using Cisco IOS and CCP.
 Back up and secure the Cisco IOS image and configuration files.
Part 4: Secure Network Switches
 Configure passwords, and a login banner.
 Configure management VLAN access.
 Configure a synchronized time source using NTP.
 Configure syslog support.
 Configure SSH access.
 Configure AAA and RADIUS.
 Secure trunk ports.
 Secure access ports.
 Protect against STP attacks.
 Configure port security and disable unused ports.
Part 5: Configure VPN remote access
 Use CCP to configure Easy VPN Server.
 Use the Cisco VPN Client to test the remote access VPN.