Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
2
Replies

CSS 11500 + IP SPoofing trouble with inbound connections

dmitry
Level 1
Level 1

‎11-19-2008 07:49 AM

Hello, may be I've posted in wrong brunch,if it true, move it please to the necessary one. Sorry for my English :)

I have Cisco CSS 11500 and caching server that can spoof IP's. Network scheme and configs are as described in http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_example09186a00801adbe2.shtml

From clients computer webbrowsing works normal , but when there is need in inbound connetion here is problem. After some troubleshoting i have noticed that from some ip's i can ping clients computers but from others I can't even if they are in one network /24 ... this is because ip routing

ip route 192.168.20.0 255.255.255.0 10.48.66.31 1

ip route 192.168.20.0 255.255.255.0 192.168.30.3 1

SO Css is trying to balance load to two links BUT only one link is to clients! (other is to caching server).

How can i resolve this problem??? If i write metric on route to cache server bigger than to clients then this scheme can't work...

Labels:
0 Helpful
2 Replies 2

mchin345
Level 6
Level 6

‎11-26-2008 12:19 PM

Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing in order for the attack to work. Other attacks are much harder to trace if the attackers can use the address of someone else instead of their own address. Therefore, to prevent spoofing wherever it is feasible is valuable for network administrators.

Antispoofing should be done at every point in the network where it is practical. But antispoofing is usually both easiest to do and most effective at the borders between large address blocks or between domains of network administration. Antispoofing on every router in a network is usually impractical because determination of which source addresses can legitimately appear on any given interface is difficult.

For Improve security on CSS 11500 click this link.

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a0080235e60.shtml#topic6

0 Helpful

dmitry
Level 1
Level 1
In response to mchin345

‎12-02-2008 06:58 AM

Have you read my question????or may be only subject?? please read it once more because my question is not about IP Spoofing Attacks...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents