Cisco: Filtering based on AS numbers

I am currently trying to lock down a firewall with only a few accept rules for actual servers/traffic. Since there is some connectivity to the internet needed (like Windows updates and such) we need to filter this with access-lists. With these access-lists i simply create a few ‘ALLOW’ rules for actual traffic and a ‘REJECT’ for all the rest.

Websites like Microsoft have big ranges worldwide and often change from location, it would be impossible to filter this based on IP’s (or even ranges) – so we are going to filter based on AS (Autonomous System) number/path.

For example:

as-path access-list xx permit 111
as-path access-list xx permit 111 222
as-path access-list xx permit 111 222 3

This would allow the following paths:
111 222
111 222 3

Cisco has the ability to use regular expressions within an as-path filter list. So you could use the following to permit traffic for the above AS numbers:

[code]as-path access-list xx permit ^(_111)+(_222)*(_3)$[/code]

As you can see, a lot shorter and way more flexible !


Geef een reactie

%d bloggers liken dit: