Re: Border filters

qbakies11 · ‎12-10-2007

I need to place filters on my border routers to try and prevent IP spoofing for PCI compliance. Has anyone done this and know how these filters are supposed to be configured?

Richard Burts · ‎12-10-2007

Quinton

A filter for spoofed addresses is fairly simple. It is generally done on the router at the edge of your network facing your service provider and is configured as an inbound access list. The access list should start with statements that deny any IP packet whose source address is in the address space used inside your network. You would then permit other IP traffic. Some people make these access lists filter other things such as filtering private address space in the source address or filtering other bogon addresses. But if your requirement is spoofed addresses then it is sufficient to deny inbound packets whose source address is one of your internal addresses.

HTH

Rick

HTH

Rick

qbakies11 · ‎12-10-2007

Thanks for the reply Rick. Can you provide a generic example?

Richard Burts · ‎12-10-2007

Quinton

Here is a very basic example. Assume that the network inside uses the 200.200.200.0/24 network. So a spoofed packet would come to your router outside interface with a source address of 200.200.200.x and you want to deny it. Also assume that your outward facing interface is serial 1/0.

access-list 150 deny ip 200.200.200.0 0.0.0.255 any

access-list 150 permit ip any any

interface serial1/0

ip access-group 150 in

HTH

Rick

HTH

Rick