Solved: Anti spoofing with 3825

nov1c33333 · ‎05-06-2011

Hello-

Is there any way to configure 3825 to ensure that all packets have a source IP address that matches the correct source interface (similar to ASA's 'ip verify reverse-path interface')?

Currently, we manage anti spoofing with a bunch of ACLs, however I'm looking for a more manageable solution.

Thanks.

sean_evershed · ‎05-06-2011

Try the ip verfify unicast command:

See below a reference on anti-spoofing:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#asprot

interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
[allow-self-ping] [list]

See below an explanation of the technology.

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Please remember to rate all posts that are helpful.

View solution in original post

paolo bevilacqua · ‎05-06-2011

Have you considered entering "IOS reverse-path" in the CCO search box ?

sean_evershed · ‎05-06-2011

Try the ip verfify unicast command:

See below a reference on anti-spoofing:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#asprot

interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
[allow-self-ping] [list]

See below an explanation of the technology.

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Please remember to rate all posts that are helpful.