04-01-2004 06:55 AM - edited 03-09-2019 06:56 AM
Hi, I am somewhat of a newbie with routers and we want to be able to filter out spoofed addresses coming in and going out of our routers. I cannot seem to find any definitive answers on how to do this. Please help me if you can.
Thanks
04-07-2004 06:24 AM
Looking for a similar information. Any update on this?
04-08-2004 01:01 PM
I will explain you two solutions for filtering spoofed addresses, first one is with access-lists, for example in your router the fastethernet 0/0 is your LAN and serial 2/0 is your WAN
1) define ACL
access-list 100 permit ip
" this access-list will allow only IP your LAN IPs and will not let any spoofed IP to be forwarded by router"
access-list 101 deny ip
access-list 101 permit ip any
" this access-list will deny any packet from your WAN with source IP of your LAN subnet and will allow any packet with destination your LAN Subnet"
2) Applying ACLs in interfaces
interface fa0/0
ip access-group 100 in " or "
ip verify unicast reverse-path " below is description of uRPF:
interface serial 2/0
ip access-group 101 in
uRPF (unicast Reverse-Path Filtering) checks IP packets source address against CEF table and discards if not reverse-path, here's a link that will be useful.
Beware that using the uRPF in WAN interface can cause downtime if the router doesn't have FULL ROUTES ( internet routes )
If you need any help on these issues just let me know
04-08-2004 01:06 PM
Actually, it's pretty easy. Use the interface command no ip source-route to minimize exposure to spoofed addresses.
Here's a good start:
http://www.cisco.com/warp/public/707/21.html
In addition you'll want to create an outbound ACL that filters addresses reserved as 'private' and an inbound ACL that filters your source IP net.
This and much more is documented here:
http://secinf.net/info/fw/cisco/add.html#spoof-acl
good luck.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: