Securing Your OSPF Network

Previous Table of Contents Next

Traffic filters enable you to control whether router traffic is forwarded or blocked at the router’s interfaces. You should use traffic filters to provide a basic level of security for accessing your network. If you do not configure traffic filters on your router, all traffic passing through the router could be allowed onto all parts of your network.

By setting up traffic filters at your router, you can control which traffic enters or leaves your network. Traffic filters are commonly used in firewalls. Typically, a router configured for traffic filtering is positioned between your internal network and an external network such as the Internet. Using traffic filtering routers enables you to control what traffic is allowed onto your internal network. By combining the routers’ filtering capabilities with that of a firewall, you can increase the security found in your network.

If you are using filters in firewalls, then you should always have filters applied to your router as well. This decreases the likelihood that a cyber thief will gain access to your network.

Traffic filtering services on Cisco devices are provided by access lists (also called “filters”). Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol. This section will cover the following topics:

  Standard access lists
  Lock-and-key security (with dynamic access lists)

The first section describes standard static access lists, which are the most commonly used type of access lists. Static access lists should be used with each routed protocol that you have configured for router interfaces. Lock-and-key security, available only for IP traffic, provides additional security functions.

Access Lists

Access lists can be used for many purposes. For example, access lists can be used to:

  Control the transmission of packets on an interface
  Control virtual terminal line access
  Restrict contents of routing updates

Access lists can be used for these and other purposes. However, not all uses are recommended as specific security measures. Only the first listed use, controlling packet transmission, is recommended as a valid security measure. The following sections describe how to use access lists to control packet transmission.

Configuring Access Lists for Specific Protocols

To control packet transmission for a given protocol, you must configure an access list for that protocol. Table 10-1 identifies the protocols for which you can configure access lists.

You should consider configuring access lists for each protocol that you have configured for an interface. Otherwise, the security is only partially applied to each interface within your network.

You must identify every access list by either a name or a number. You assign this name or number to each access list when you define the access list. Access lists of certain protocols must be identified by names, and access lists of other protocols must be identified by numbers. Some protocols can be identified by either names or numbers. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.

Table 10-1 lists protocols that use access lists specified by numbers, and also includes the range of access list numbers that is valid for each protocol. Entries in italics indicate protocols for which you have the option of identifying access lists by names.

Although each protocol has its own set of specific tasks and rules required for you to provide traffic filtering, in general, most protocols require at least two steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface.

Some protocols refer to access lists as “filters,” and some protocols refer to the act of applying the access lists to interfaces as “filtering.”

Creating Access Lists

Access list definitions provide a set of criteria that are applied to each packet that is processed by the router. The router decides whether to forward or block each packet based on whether or not the packet matches the access list criteria.

Table 10-1 Protocols with access lists by range
Protocol Range

IP 1-99
Standard VINES 1-100
Extended IP 100-199
Extended VINES 101-200
Ethernet type code 200-299
Transparent bridging (protocol type) 200-299
Source-route bridging (protocol type) 200-299
Simple VINES 201-300
DECnet and extended DECnet 300-399
XNS 400-499
Extended XNS 500-599
AppleTalk 600-699
Ethernet address 700-799
Source-route bridging (vendor code) 700-799
Transparent bridging (vendor code) 700-799
IPX 800-899
Extended IPX 900-999
IPX SAP 1000-1099
Extended transparent bridging 1100-1199

Typical criteria defined in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.

For a given access list, you define each criteria in separate access list statements. These statements specify whether to block or forward packets that match the criteria listed. An access list, then, is the sum of individual statements that all share the same identifying name or number.

Each additional access list statement that you enter is appended to the end of the access list statements. Also, you cannot delete individual statements after they have been created. You can only delete an entire access list.

The order of access list statements is important. When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked.

Previous Table of Contents Next

OSPF Network Design Solutions
OSPF Network Design Solutions
ISBN: 1578700469
EAN: 2147483647
Year: 1998
Pages: 200
Authors: Tom Thomas

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: