Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
3
Replies

Securing Cisco 1700/2600 routers from source routing

admin_2
Level 3
Level 3

‎04-01-2004 06:55 AM - edited ‎03-09-2019 06:56 AM

Hi, I am somewhat of a newbie with routers and we want to be able to filter out spoofed addresses coming in and going out of our routers. I cannot seem to find any definitive answers on how to do this. Please help me if you can.

Thanks

Labels:
0 Helpful
3 Replies 3

nikhil_m
Level 1
Level 1

‎04-07-2004 06:24 AM

Looking for a similar information. Any update on this?

0 Helpful

mesuti
Level 1
Level 1

‎04-08-2004 01:01 PM

I will explain you two solutions for filtering spoofed addresses, first one is with access-lists, for example in your router the fastethernet 0/0 is your LAN and serial 2/0 is your WAN

1) define ACL

access-list 100 permit ip < your LAN wildcard mask> any

" this access-list will allow only IP your LAN IPs and will not let any spoofed IP to be forwarded by router"

access-list 101 deny ip any

access-list 101 permit ip any < your LAN wildcard mask>

" this access-list will deny any packet from your WAN with source IP of your LAN subnet and will allow any packet with destination your LAN Subnet"

2) Applying ACLs in interfaces

interface fa0/0

ip access-group 100 in " or "

ip verify unicast reverse-path " below is description of uRPF:

interface serial 2/0

ip access-group 101 in

uRPF (unicast Reverse-Path Filtering) checks IP packet’s source address against CEF table and discards if not reverse-path, here's a link that will be useful.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca6e0.html

Beware that using the uRPF in WAN interface can cause downtime if the router doesn't have FULL ROUTES ( internet routes )

If you need any help on these issues just let me know

0 Helpful

masharris
Level 1
Level 1

‎04-08-2004 01:06 PM

Actually, it's pretty easy. Use the interface command no ip source-route to minimize exposure to spoofed addresses.

Here's a good start:

http://www.cisco.com/warp/public/707/21.html

In addition you'll want to create an outbound ACL that filters addresses reserved as 'private' and an inbound ACL that filters your source IP net.

This and much more is documented here:

http://secinf.net/info/fw/cisco/add.html#spoof-acl

good luck.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents