Softflowd is flow-based network traffic analyser capable of Cisco NetFlow data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow to a collecting host or summarised within softflowd itself.
Softflowd supports Netflow versions 1, 5 and 9 and is fully IPv6-capable – it can track IPv6 flows and send export datagrams via IPv6. It also supports export to multicast groups, allowing for redundant flow collectors.
ACLs can be used as an antispoofing mechanism. Spoofing protection involves discarding traffic that has an invalid source address. As a rule, administrators should not allow any IP packets containing the source address of any internal hosts or networks inbound to a private network.
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any source-quench
access-list 112 permit icmp any any unreachable
access-list 112 deny icmp any any
access-list 112 permit ip any any
access-list 114 permit icmp any any echo
access-list 114 permit icmp any any parameter-problem
access-list 114 permit icmp any any packet-too-big
access-list 114 permit icmp any any source-quench
access-list 114 deny icmp any any
access-list 114 permit ip any any
Many network administrators are unaware that IPv6 is enabled on most operating systems.
Dual-stacked hosts can configure themselves, and may be subject to rogue router advertisements (RAs).
Can exploit routing header (RH) to pivot using multiple hops.
Can exploit automatic tunnels to pivot unnoticed by firewalls and IPS.
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
object-group service eng_srv_group
tcp source range 1 65535 telnet
tcp-udp range 2000 2005
ip access-list extended acl_policy
permit object-group eng_srv_group object-group eng_network_group any
deny tcp any any
packet filtering, stateful, application gateway (proxy), address-translation, host-based, transparent, and hybrid firewalls.
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
access-list 1 permit host 192.168.180.1
access-list 1 permit 192.168.180.1 0.0.0.0
access-list 100 permit ip host 192.168.180.1 host 192.168.180.2
access-list 100 permit tcp host 192.168.180.1 host 192.168.180.2 eq 80
R2(config-if)# ip access-group 100 in
ip access-list standard STANDAR-ACL
permit host 192.168.180.1
ip access-list extended EXTENDED-ACL
permit tcp host 192.168.180.1 host 192.168.180.2 established
The access-class extended ACL only supports the any keyword as the destination.
ip access-list extended PERMIT-ADMIN-LINE
permit tcp host 192.168.180.1 any eq 22 log
deny ip any any
line vty 0 4
access-class PERMIT-ADMIN-LINE in
If using Cisco IOS Release 12.3 and later, sequence numbers can be used to ensure that ACEs are added in the correct location. The ACL is processed top-down based on the sequence numbers of the ACEs (lowest to highest).
Router-generated packets, such as routing table updates, are not subject to outbound ACL statements on the source router. If the security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter mechanisms using ACLs must do the filtering task.
the no parameter followed by the ACE will result in deleting the entire ACL.
On standard access lists, the Cisco IOS will add new entries by descending order of the IP address, regardless of the sequence number. Therefore, the sequence number in a standard ACL is used as an identifier of a specific ACE for deletion purposes.
All entries, regardless of the order in which they were entered, were placed in order of descending IP address, from specific to general.
INBOUND = Pre-Routing
OUTBOUND = Post-Routing
packet debugging captures the packets that are process-switched, including received, generated, and forwarded packets.