index_76
Router Security Configuration Guide
UNCLASSIFIED
76
UNCLASSIFIED
Version 1.0g
IP Address Spoof Protection
Inbound Traffic
Do not allow any inbound IP packet that contains an IP address from the internal
network (e.g., 14.2.6.0), any local host address (127.X.X.X), the link-local DHCP
default address (169.254.0.0), or any reserved private addresses (refer to RFC 1918)
in the source field. Apply this access list to the external interface of the router, as
shown in the transcript below.
East(config)# access-list 100 deny ip 14.2.6.0 0.0.0.255 any log
East(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
East(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
East(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
East(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
East(config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
East(config)# access-list 100 permit ip any 14.2.6.0 0.0.0.255
East(config)# interface eth0/0
East(config-if)# description "external interface"
East(config-if)# ip address 14.1.1.20 255.255.0.0
East(config-if)# ip access-group 100 in
East(config-if)# exit
East(config)# interface eth0/1
East(config-if)# description "internal interface"
East(config-if)# ip address 14.2.6.250 255.255.255.0
East(config-if)# end
Outbound Traffic
Do not allow any outbound IP packet that contains an external IP address in the
source field. Apply this access list to the internal interface of the router. See
example rules below.
East(config)# no access-list 102
East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any
East(config)# access-list 102 deny ip any any log
East(config)# interface eth 0/1
East(config-if)# description "internal interface"
East(config-if)# ip address 14.2.6.250 255.255.255.0
East(config-if)# ip access-group 102 in
On most Cisco routers, IOS 12 offers an another mechanism for IP address spoof
protection: IP reverse-path forwarding verification. Though specialized, and not
suitable for all networks, this facility offers good performance and ease of
maintenance. Section 4.4.5 shows how to set up reverse-path forwarding verification
on routers that support it.