[c-nsp] Anti-spoofing measures
Jay Ford
jay-ford at uiowa.edu
Thu Apr 14 09:29:15 EDT 2005
On Thu, 14 Apr 2005, Earls, Michael wrote:
> Can someone send examples of ACLs used to block or prevent Anti-spoofing at the ISP edge.
>
> My ACL today:
>
> !-- Deny RFC3330
> access-list 110 deny ip 127.0.0.0 0.255.255.255 any
> access-list 110 deny ip 192.0.2.0 0.0.0.255 any
> access-list 110 deny ip 224.0.0.0 31.255.255.255 any
> access-list 110 deny ip host 255.255.255.255 any
> access-list 110 deny ip host 0.0.0.0 any
> !-- Deny RFC1918
> access-list 110 deny ip 10.0.0.0 0.255.255.255 any
> access-list 110 deny ip 192.168.0.0 0.0.255.255 any
> access-list 110 deny ip 172.16.0.0 0.15.255.255 any
> !-- Deny ICMP
> access-list 110 deny icmp any any redirect
> access-list 110 deny icmp any any echo
> access-list 110 deny icmp any any traceroute
> !-- Deny my IP prefixes
> access-list 110 deny my IP Prefix
> !-- Permit IP any any
> access-list 110 permit ip any any
You might want to also include the DHCP auto-config net: 169.254.0.0/16
________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
More information about the cisco-nsp
mailing list