Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
5
Helpful
3
Replies

Border filters

qbakies11
Level 1
Level 1

‎12-10-2007 06:54 AM - edited ‎03-03-2019 07:52 PM

I need to place filters on my border routers to try and prevent IP spoofing for PCI compliance. Has anyone done this and know how these filters are supposed to be configured?

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎12-10-2007 08:28 AM

Quinton

A filter for spoofed addresses is fairly simple. It is generally done on the router at the edge of your network facing your service provider and is configured as an inbound access list. The access list should start with statements that deny any IP packet whose source address is in the address space used inside your network. You would then permit other IP traffic. Some people make these access lists filter other things such as filtering private address space in the source address or filtering other bogon addresses. But if your requirement is spoofed addresses then it is sufficient to deny inbound packets whose source address is one of your internal addresses.

HTH

Rick

HTH

Rick
0 Helpful

qbakies11
Level 1
Level 1
In response to Richard Burts

‎12-10-2007 12:59 PM

Thanks for the reply Rick. Can you provide a generic example?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to qbakies11

‎12-10-2007 01:11 PM

Quinton

Here is a very basic example. Assume that the network inside uses the 200.200.200.0/24 network. So a spoofed packet would come to your router outside interface with a source address of 200.200.200.x and you want to deny it. Also assume that your outward facing interface is serial 1/0.

access-list 150 deny ip 200.200.200.0 0.0.0.255 any

access-list 150 permit ip any any

interface serial1/0

ip access-group 150 in

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card