ACL to Prevent IP Spoofing

rkollar59 · ‎08-16-2005

Greetings,

I have a client that uses one of the RFC 1918 Addresses (192.168.x.x) for their internal network and VPN Client Connectivity. I am in the process of creating ACL's to prevent any IP Address under RFC 1918 (10.X.X.X, 127.X.X.X,169.254.X.X, 224.X.X.X, etc.) from being spoofed.

My question is, How can I block all of the network addresses mentioned above, excluding the subnets under 192.168.X.X, that they use?

javentre · ‎08-16-2005

I think you aught to look into the uRPF feature:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf1b.html#wp1094165

Use the ip verify unicast source reachable-via interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks on the basis of source IP address spoofing.

When Unicast RPF is enabled on an interface, the router examines all packets that are received on that interface. The router checks to make sure that the source address appears in the FIB. If the rx keyword is selected, the source address must match the interface on which the packet was received. If the any keyword is selected, the source address must only be present in the FIB. This ability to "look backwards" is available only when Cisco Express Forwarding (CEF) is enabled on the router because the lookup relies on the presence of the FIB. CEF generates the FIB as part of its operation.

m-abooali · ‎03-14-2018

hi,

i dealing with same issue except i want the ACLs on Cisco 3550 which is facing the ISP. I don't think CEF comes to play on this switch.

Regards,
Masod