IINS 210-260

IINS 210-260

ACL filtering and L2 Data Plane Protection

One of our most basic and fundamental protections for the data plane is an interface ACL – an access control list that's applied in a certain direction – inbound or outbound, ingress or egress – on an interface to block unwanted traffic or to block particular users. This will help us mitigate against denial-of-service attacks, it's an antispoofing mechanism as well. We can also use ACLs to provide bandwidth control, and we can classify the traffic to protect other planes. So we can use the interface ACL to control access to VTY lines for management, that would be reducing the attack surface is what we call that, or we can restrict the content of routing updates, that can help protect the control plane.

Here is a list with the most common use cases of the ACLs:

  • Block unwanted traffic or users - Access lists can filter incoming or outgoing packets on an interface, and control access using source addresses, destination addresses, or user authentication. You can also use access lists to determine which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic.
  • Reduce the chance of DoS attacks - There are a number of ways to reduce the chance of DoS attacks. For example, by specifying IP source addresses, you can control whether traffic from hosts, networks, or users access your network. You can filter on specific Time to Live (TTL) values in packets to control how many hops a packet can take before reaching a router in your network. By configuring the TCP Intercept feature, you can prevent servers from being flooded with requests for a connection.
  • Mitigate spoofing attacks - ACLs allow security practitioners to implement recommended practices to mitigate spoofing attacks. The guidelines that are found in several RFCs provide basic filtering, and can be easily deployed using ACLs.
  • Provide bandwidth control - An access list on a slow link can prevent excess traffic.

Classify traffic to protect other planes - You can place an access list on inbound VTY (Telnet) line access from certain nodes or networks. For the control plane, access lists can control routing updates being sent, received, or redistributed.

For years now, we have used access control list as antispoofing mechanisms basically discarding traffic that has an invalid source address. It's either trying to masquerade as a legitimate host on the inside of our network or you can prevent your internal users from spoofing addresses that are legitimate on the outside. Bottom line is they can be done in both directions – either for external users or for mischievous internal users.


Basically, people spoof source IP addresses to either evade traceability and bypass access controls or the actual source IP address – maybe the ultimate target – as we flood servers and routers and force them to send error messages back to that spoofed IP address. It's a reflection attack, okay, so they can be used in a wide variety of methods. Now these can be invalid IP addresses, can be RFC 1918 addresses – the special use addresses, or 224, for example. You should never source IP address – that's the multicast range, nor should it be from the private IP address space, okay, let's say 192.168.1 for example. But it could also be a valid network address range, but it's not coming from a legitimate network. So we want to implement BCP 38 or RFC 2827 ingress traffic filtering to deal with source IP address spoofing to make invalid source IP addresses ineffective. It forces attacks to be initiated from valid reachable IP addresses.

The traditional method for doing this is to use an interface ACL; however, they're not dynamic and you have to configure them manually. They may also have a pretty big impact especially because if you have to read through a long list of access control entries. So you could use features like URPF – Unicast Reverse Path Forwarding – to complement your antispoofing strategy.

Layer 2 data plane protection

Now depending upon how advanced your platform is and the feature availability – and which could, by the way, also be a licensed feature, there are other mechanisms as well that you can use to protect the data plane. For example, if it's a Cisco Catalyst switch or a multilayer switch, you may have other features as well. So we've got port security which we can apply on our basic configuration of our access ports, for example. We have DHCP snooping, which builds a mapping table between legitimate IP addresses and MAC addresses. We have dynamic ARP inspection to inspect the behavior of the ARP protocol and then IP source guard which can be used on things like HTTP traffic. Preventing IP spoofing, using that same DHCP database snooping table – whether it applies to more than just ARP traffic and DHCP traffic – it protects all IP traffic.