CSS 11500 + IP SPoofing trouble with inbound connections

Unanswered Question

Hello, may be I've posted in wrong brunch,if it true, move it please to the necessary one. Sorry for my English :)

I have Cisco CSS 11500 and caching server that can spoof IP's. Network scheme and configs are as described in http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_example09186a00801adbe2.shtml

From clients computer webbrowsing works normal , but when there is need in inbound connetion here is problem. After some troubleshoting i have noticed that from some ip's i can ping clients computers but from others I can't even if they are in one network /24 ... this is because ip routing

ip route 1

ip route 1

SO Css is trying to balance load to two links BUT only one link is to clients! (other is to caching server).

How can i resolve this problem??? If i write metric on route to cache server bigger than to clients then this scheme can't work...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Wed, 11/26/2008 - 12:19
User Badges:
  • Silver, 250 points or more

Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing in order for the attack to work. Other attacks are much harder to trace if the attackers can use the address of someone else instead of their own address. Therefore, to prevent spoofing wherever it is feasible is valuable for network administrators.

Antispoofing should be done at every point in the network where it is practical. But antispoofing is usually both easiest to do and most effective at the borders between large address blocks or between domains of network administration. Antispoofing on every router in a network is usually impractical because determination of which source addresses can legitimately appear on any given interface is difficult.

For Improve security on CSS 11500 click this link.



This Discussion