Everyone is familiar with access-lists as a way to drop traffic in IOS. This has become a standard easy way to stop unwanted traffic from traversing networks at key points. There are other solutions as well as ways to optimize your access-lists that sometimes are a better for your router’s processor when it comes to processing traffic. 
Access lists tend to slow a router down. The packet has to be matched to an access-list and depending on how well you have your access-list ordered and how long it is, it may be many lines of trying to match before the packet is dropped. This eats up processor cycles, and by default you have a default deny any, meaning that if you have a 1000 line access-list that ends in an implicit deny, and you have a lot of packets that have to go all the way through, you eat up lots of processor doing this.
Option 1: Rewrite your access-lists – Setup your access-lists in an order you think they will be most likely matched and denied. For instance, lets say you have three servers a web server at an IP address of 1.1.1.1 which you want to allow both port 80 and 443 to it, a mail server at 1.1.1.2, to which you allow tcp 25, and an sftp server at 1.1.1.3 that needs port 22 opened up.
If they are built in this order and your access-list grows organically your access-list may look like the following.
ip access-list extended OUTSIDE_IN_ACL
permit tcp any host 1.1.1.1 eq 80
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.2 eq 25
permit tcp any host 1.1.1.3 eq 22
<implicit deny any any>
This will work, but there are ways to optimize it. If your mail server is going to get the bulk of the traffic, followed by your web server and then your sftp server you would want to reconsider the order of the list. In this example, in order for the packet destined for the mail server on port 25 to get through, your router has to cycle through lines 1 and 2 of your access-list before being allowed through, slowing things down each step of the way.
Also, what if someone is trying to see if you have other websites in your company that are publicly available. While this access-list would block it, the packet would go through 4 lines of access-list before finally being dropped by the implicit deny any any. Your new access-list may look like the following.
ip access-list extended OUTSIDE_IN_ACL
permit tcp any host 1.1.1.2 eq 25
deny tcp any any eq 25
permit tcp any host 1.1.1.1 eq 80
deny tcp any any eq 80
permit tcp any host 1.1.1.1 eq 443
deny tcp any any eq 443
permit tcp any host 1.1.1.3 eq 22
deny tcp any any eq 22
<implicent deny any any>
It is a bit harder to write and maintain, but will increase performance on your router.
Option 2: Route to null – This option drops traffic at line speed. Lets say you want to drop all traffic that goes to a certain ip address for security reasons, for example 2.2.2.2. Simply add a route
ip route 2.2.2.2 255.255.255.255 null0
This sends all traffic destined for 2.2.2.2 straight down a black hole. The problem with this, is there is not a counter on how many packets were dropped.
Option 3: Route-Map – This option allows you to match traffic based on a list of criteria and then send it to the null interface. This is very nice when you want to match based on an header tag, next hop address or packet length or a combination of all of them. Simply write your route-map and set the next hop to null0. In this example, if you wanted to tag a packet on your network as it enters, and then make sure that it doesn’t leave your network you could do the following.
to tag the packet based on source address of 3.3.3.3.
!!!!on inbound router!!!!
ip access-list standard SOURCE_ACL
permit host 3.3.3.3
route-map TAG5 permit 10
match ip address SOURCE_ACL
set tag 5
inter fa0/0
ip policy route-map TAG5
!!!on outbound router!!!!
route-map DROP5 permit 10
match tag 5
set interface Null0
inter fa0/0
ip policy route-map DROP5
The problem with this is that does take up processor cylces as well as it is run before the route table. So it will add some overhead, but gives you the ability to mark your packets on the way in, but no drop them unless they try to leave, which a simple access-list does not have the intelligence to do.
Option 4: class based dropping – Yet another way is to do class based dropping. This allows you to match on multiple criteria at once and take action. In this case you want to match all packets that are marked w/ a dscp value of af11, are between 1200 and 1250 in size and are icmp, then drop them. This is a more common scenario with worms, where you don’t want to match a single criteria as that could give false positives.
class-map match-all MULTIMATCH_CM
match ip dscp af11
match packet length min 1200 max 1250
match protocol icmp
policy-map DROP_PM
class MULTIMATCH_CM
drop
inter fa0/0
service-policy input DROP_PM
All of these can be done in conjunction with one another. So on the same interface you can have access-lists, policy based routing and service-policies while routing some traffic to null 0. This gives you a lot of control over your packet dropping strategy throughout your network. But remember the best policy is always applied at the point closest to the source, this way you don’t have 1 device trying to drop everything.
Author: Alex Jerrold, Cisco Security CCIE
Posted at Adcap Tech Tips
No related posts.
Last Updated: December 2nd, 2011 |
