[c-nsp] ISP - unwanted traffic
Steve Bertrand
steve at ipv6canada.com
Fri Jun 4 09:27:55 EDT 2010
On 2010.06.02 14:04, jack daniels wrote:
> Hi Guys,
> I'm facing a issue and stuck on a thought process , would appreciate if some
>
> way you guys can show with your experience in industry -
>
> ISSUE ----
>
> user X spoofs IP ADDRESS OF ISP-A and sends traffic out to internet...
> now when traffic is comming back via ISP-A... I want to block such traffic
> which is not orignating from my ISP...
> but catch here is ---- filtering is to be done in ISP ...so putiing acl for
> each users and ports is not scallable.....
> Please help with any way out ...
As Roland stated... uRPF on your PE gear on each client-facing
interface, and it is *extremely* simple to configure... one single line:
ip verify unicast source reachable-via rx
I wrote up a much more elaborate example not that long ago that goes
much further (includes BOGON filtering and Source/Remote Triggered Black
Hole):
http://ipv6canada.com/?p=59
Also see:
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
...and most importantly:
http://www.ietf.org/rfc/rfc3704.txt
Steve
More information about the cisco-nsp
mailing list