Thursday, June 14, 2012

Configuring CBAC - Context Based Access Control

When it comes to security, I think you should always implement an actual firewall such as an ASA. However if you are a small business and you needed to get a stateful firewall up and running then Cisco Context Based Access Control is the way to go. It's lightweight, easy to configure and it gets the job done.

Consider this topology below and let's see how easily we can get it configured.


Sunday, June 10, 2012

Configuring BGP - ORF (Outbound Route Filtering)

Outbound route filtering (ORF) in BGP reminds me of SPAM which I get in my mail everyday. Even though, I end up throwing (filtering) most of it away in the garbage, I still have to spend time looking at it, opening it and/or reading it which in turns wastes my time and my brain cycles. Wouldn't it be much more efficient if I can just tell the post office not to even send it? Well in BGP we can actually do this. We can tell our BGP neighbor what to filter-out before sending updates so we do not have to waste (CPU) time processing it. Ideally this would be implemented in ISPs peering so ISPs do not have to deal with customer requests on what needs to be advertised and what needs to be filtered.

For example, if you are BGP peered with an ISP and you had a route-map to filter all the routes except the default route, the ISP is still sending you the whole internet routing table and your CPU is processing the entire internet table before filtering it down to the default route.

Consider this topology and let's see how we can efficiently perform BGP filtering and conserve our router's resource.