Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Border filters

I need to place filters on my border routers to try and prevent IP spoofing for PCI compliance. Has anyone done this and know how these filters are supposed to be configured?

3 REPLIES
Hall of Fame Super Silver

Re: Border filters

Quinton

A filter for spoofed addresses is fairly simple. It is generally done on the router at the edge of your network facing your service provider and is configured as an inbound access list. The access list should start with statements that deny any IP packet whose source address is in the address space used inside your network. You would then permit other IP traffic. Some people make these access lists filter other things such as filtering private address space in the source address or filtering other bogon addresses. But if your requirement is spoofed addresses then it is sufficient to deny inbound packets whose source address is one of your internal addresses.

HTH

Rick

New Member

Re: Border filters

Thanks for the reply Rick. Can you provide a generic example?

Hall of Fame Super Silver

Re: Border filters

Quinton

Here is a very basic example. Assume that the network inside uses the 200.200.200.0/24 network. So a spoofed packet would come to your router outside interface with a source address of 200.200.200.x and you want to deny it. Also assume that your outward facing interface is serial 1/0.

access-list 150 deny ip 200.200.200.0 0.0.0.255 any

access-list 150 permit ip any any

interface serial1/0

ip access-group 150 in

HTH

Rick

199
Views
5
Helpful
3
Replies