[c-nsp] Cisco 2620 and Pix 515E Config help please
Antonio Querubin
tony at aloha.net
Fri Apr 8 17:45:30 EDT 2005
On Fri, 8 Apr 2005, Gert Doering wrote:
> On Thu, Apr 07, 2005 at 04:53:36PM -0400, Richard Danielli wrote:
> > ip verify unicast reverse-path
> > seems a bit redundant on a single path :)
>
> Please re-read the docs on what this command *does*. It's a very good
> idea, because it brings automatic (and fast) anti-source-spoofing filters.
>
> In this specific context, it prevents people on the WAN side sending
> packets with an IP address claiming to be from the LAN side (thus
> circumventing firewall filters, etc.)
Indeed. Should be a standard practice on most edge routers and
non-multihomed interfaces. It certainly beats using individual custom
ACLs for each subnet and interface.
More information about the cisco-nsp
mailing list