Border filters

Unanswered Question
Dec 10th, 2007
User Badges:

I need to place filters on my border routers to try and prevent IP spoofing for PCI compliance. Has anyone done this and know how these filters are supposed to be configured?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Mon, 12/10/2007 - 08:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Quinton


A filter for spoofed addresses is fairly simple. It is generally done on the router at the edge of your network facing your service provider and is configured as an inbound access list. The access list should start with statements that deny any IP packet whose source address is in the address space used inside your network. You would then permit other IP traffic. Some people make these access lists filter other things such as filtering private address space in the source address or filtering other bogon addresses. But if your requirement is spoofed addresses then it is sufficient to deny inbound packets whose source address is one of your internal addresses.


HTH


Rick

qbakies11 Mon, 12/10/2007 - 12:59
User Badges:

Thanks for the reply Rick. Can you provide a generic example?

Richard Burts Mon, 12/10/2007 - 13:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Quinton


Here is a very basic example. Assume that the network inside uses the 200.200.200.0/24 network. So a spoofed packet would come to your router outside interface with a source address of 200.200.200.x and you want to deny it. Also assume that your outward facing interface is serial 1/0.


access-list 150 deny ip 200.200.200.0 0.0.0.255 any

access-list 150 permit ip any any

interface serial1/0

ip access-group 150 in


HTH


Rick

Actions

This Discussion