I want to share something specific I learned, that seems to be outside the official CCNP curriculum.
Despite the fact that I've done some (L2) traffic seperation for untrusted devices, there's still, unfortunately some that need to be on my internal L3 network for now (Google-based devices like a Google TV-based TV and an old Google Home - Nest products don't interest me) so I decided to do something about this to restrict vertical traffic and potential attacks from old, unsupported or not-so-trusted hosts.
While I could seperate the traffic at L2 and forward it to a virtual firewall or my FGT internet firewall appliance, that in my opinion, causes sub-optimal traffic flows due to network limitations/design since the budget won't allow better gear for my needs (like VXLAN/VPNV4 overlay with route leaking etc).
So, all I have to work with is an old unsupported Cisco IOS v15 (Classic) Multilayer central switch in my home network.
I thought, this would be pretty easy. Just allow host services like DHCP/netboot, intra-VLAN traffic etc., block RFC1918 and allow everything else. Ez Pz. Except netboot to my netboot.xyz server didn't work initially and I couldn't easilly figure out why.
ip access-list extended RESTRICTED_ACCESS
remark NETWORK_SERVICES
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
remark ALLOW_PING
permit icmp any any echo
permit icmp any any echo-reply
remark ALLOW_PXE_SERVER
permit udp any host 192.168.56.3 eq tftp
permit tcp any host 192.168.56.3 eq www
remark PERMIT_INTRA-VLAN
permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log
remark DENY_RFC1918
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
remark ALLOW_EVERYTHING_ELSE
permit ip any any log
I needed some visibility on the ports and protocols like a firewall log... Cisco conditional debugging to the rescue!
The specific Cisco debug I used was `debug ip packet detail`
Unfortunately, the detail was overwhelming and showed far too much information for any human to interpret and nearly brought down the switch, so I had to contrain or filter the output with a debug condition similar to the following:
`debug condition ip 192.168.0.4`
This produced the information I required and allowed me to pinpoint the missing port and protocol required!
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4 (Vlan666), len 56, sending
21w3d: ICMP type=3, code=13
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4 (Vlan666), len 56, output feature
21w3d: ICMP type=3, code=13, Check hwidb(88), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4 (Vlan666), len 56, sending full packet
21w3d: ICMP type=3, code=13pak 599DB6C consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
21w3d: IP: s=192.168.0.4 (Vlan666), d=192.168.56.3, len 32, access denied
21w3d: UDP src=62557, dst=30002
21w3d: FIBipv4-packet-proc: route packet from Vlan666 src 192.168.0.4 dst 192.168.56.3
21w3d: FIBfwd-proc: packet routed by adj to Vlan56 192.168.56.3
21w3d: FIBipv4-packet-proc: packet routing succeeded
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4, len 56, local feature
21w3d: ICMP type=3, code=13, CASA(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
21w3d: IP: s=192.168.0.1 (local), d=192.168.0.4, len 56, local feature
As you can see in the above output, UDP port 3002 was blocked (due to the implicit deny any rule), so adding that in before the deny RFC1918 entry resolved this for me. Happy days.
So here's the final ACL that worked a treat.
ip access-list extended RESTRICTED_ACCESS
remark NETWORK_SERVICES
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
remark ALLOW_PING
permit icmp any any echo
permit icmp any any echo-reply
remark ALLOW_PXE_SERVER
permit udp any host 192.168.56.3 eq tftp
permit udp any host 192.168.56.3 eq 30002
permit tcp any host 192.168.56.3 eq www
remark PERMIT_INTRA-VLAN
permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log
remark DENY_RFC1918
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
remark ALLOW_EVERYTHING_ELSE
permit ip any any log
Yes, I know I can (and probably will) tighten it some more and make DNS more specific (or remove it entirely to enforce quad9 DNS and prevent poisoning), but I wanted an ACL that is as simple as possible so I can easlily model and apply to other interfaces and SVI's which I might add is being done and so far it is working well.