Here we’re talking about using router ACLs for infrastructure security, that is, traffic to/from external networks.
Here is an example:
- Deny fragmented traffic that is normally associated with illegitimate traffic flows (this might need to be amended depending upon the parameters of a given environment)
- Then, permit BGP traffic from eBGP neighbors (note locally-sourced BGP isn’t accounted for as this is not subject to ACL inspection on the local router), SSH and SNMP from legitimate management platforms to infrastructure destinations
- Permit ICMP from legitimate stations (echo)
- Deny any other IP traffic directed at your network devices – this should ideally be logged
- Permit transit (legitimate business) traffic
Then apply it to the physical interface using the ip access-group <ACL name> in command.