Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Securing Cisco 1700/2600 routers from source routing

Hi, I am somewhat of a newbie with routers and we want to be able to filter out spoofed addresses coming in and going out of our routers. I cannot seem to find any definitive answers on how to do this. Please help me if you can.

Thanks

3 REPLIES
New Member

Re: Securing Cisco 1700/2600 routers from source routing

Looking for a similar information. Any update on this?

New Member

Re: Securing Cisco 1700/2600 routers from source routing

I will explain you two solutions for filtering spoofed addresses, first one is with access-lists, for example in your router the fastethernet 0/0 is your LAN and serial 2/0 is your WAN

1) define ACL

access-list 100 permit ip < your LAN wildcard mask> any

" this access-list will allow only IP your LAN IPs and will not let any spoofed IP to be forwarded by router"

access-list 101 deny ip any

access-list 101 permit ip any < your LAN wildcard mask>

" this access-list will deny any packet from your WAN with source IP of your LAN subnet and will allow any packet with destination your LAN Subnet"

2) Applying ACLs in interfaces

interface fa0/0

ip access-group 100 in " or "

ip verify unicast reverse-path " below is description of uRPF:

interface serial 2/0

ip access-group 101 in

uRPF (unicast Reverse-Path Filtering) checks IP packet’s source address against CEF table and discards if not reverse-path, here's a link that will be useful.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca6e0.html

Beware that using the uRPF in WAN interface can cause downtime if the router doesn't have FULL ROUTES ( internet routes )

If you need any help on these issues just let me know

New Member

Re: Securing Cisco 1700/2600 routers from source routing

Actually, it's pretty easy. Use the interface command no ip source-route to minimize exposure to spoofed addresses.

Here's a good start:

http://www.cisco.com/warp/public/707/21.html

In addition you'll want to create an outbound ACL that filters addresses reserved as 'private' and an inbound ACL that filters your source IP net.

This and much more is documented here:

http://secinf.net/info/fw/cisco/add.html#spoof-acl

good luck.

182
Views
0
Helpful
3
Replies