HostedDB - Dedicated UNIX Servers
index_76
Router Security Configuration Guide UNCLASSIFIED 76 UNCLASSIFIED Version 1.0g IP Address Spoof Protection Inbound Traffic Do not allow any inbound IP packet that contains an IP address from the internal network (e.g., 14.2.6.0), any local host address (127.X.X.X), the link-local DHCP default address (169.254.0.0), or any reserved private addresses (refer to RFC 1918) in the source field.  Apply this access list to the external interface of the router, as shown in the transcript below. East(config)# access-list 100 deny ip 14.2.6.0    0.0.0.255       any log    East(config)# access-list 100 deny ip 127.0.0.0   0.255.255.255   any log East(config)# access-list 100 deny ip 10.0.0.0    0.255.255.255   any log East(config)# access-list 100 deny ip 172.16.0.0  0.15.255.255    any log East(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255     any log East(config)# access-list 100 deny ip 169.254.0.0 0.0.255.255     any log East(config)# access-list 100 permit ip any 14.2.6.0 0.0.0.255 East(config)# interface  eth0/0 East(config-if)# description "external interface" East(config-if)# ip address 14.1.1.20 255.255.0.0 East(config-if)# ip access-group 100 in East(config-if)# exit East(config)# interface eth0/1 East(config-if)# description "internal interface" East(config-if)# ip address 14.2.6.250 255.255.255.0 East(config-if)# end Outbound Traffic Do not allow any outbound IP packet that contains an external IP address in the source field.  Apply this access list to the internal interface of the router.  See example rules below. East(config)# no access-list 102 East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 102 deny   ip any any log East(config)# interface eth 0/1 East(config-if)# description "internal interface" East(config-if)# ip address 14.2.6.250 255.255.255.0 East(config-if)# ip access-group 102 in On most Cisco routers, IOS 12 offers an another mechanism for IP address spoof protection: IP reverse-path forwarding verification.  Though specialized, and not suitable for all networks, this facility offers good performance and ease of maintenance.  Section 4.4.5 shows how to set up reverse-path forwarding verification on routers that support it.