[c-nsp] Blocking Forged Source Addresses
Michael Smith
mksmith at adhost.com
Mon Jul 28 10:21:43 EDT 2008
Hello Skeeve:
> From: Skeeve Stevens <skeeve at skeeve.org>
> Organization: eintellego
> Reply-To: <skeeve at skeeve.org>
> Date: Sat, 26 Jul 2008 17:07:02 +1000
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Blocking Forged Source Addresses
>
>
> What is the best strategy to Block Forged Source Addresses on a Cisco border
> router?
>
> .Skeeve
>
I would recommend taking a look at the Cymru Secure IOS template at
http://www.cymru.com/Documents/secure-ios-template.html. It gives you a
great set of ACL's for blocking all manner of bogons, including traffic from
our internal nets, plus the uRPF configuration as well.
If you elect to go with this template you should probably check in
periodically on the site for updated ACL's because the IOS template blocks
unallocated space, and since IP space gets allocated quite frequently, you
can end up blocking traffic unintentionally for those nets.
Regards,
Mike
More information about the cisco-nsp
mailing list