Regardless of whether you're using 10.2 or 10.3, defeating IP spoofing
is a pretty trivial thing to accomplish. All you need to do is configure
an access list that explicitly denies packets destined for a specific
(sub)network which claim to have originated from the same (sub)network.
There are basically two ways to do this; on the inbound path and on the
outbound path.
| +--+
| b| +--<---
+--+ |a
| | |
| +--+
|
ethernet 192.1.1.0
[inbound]
interface Ethernet0
ip address 192.1.1.0 255.255.255.0
interface Serial0
ip address 192.1.2.0 255.255.255.0
ip access-group 1 in
access-list 100 deny 192.1.1.0 0.0.0.255 192.1.1.0 0.0.0.255
access-list 100 permit 0.0.0.0 255.255.255.255 192.1.1.0 0.0.0.255
[outbound]
interface Ethernet0
ip address 192.1.1.0 255.255.255.0
ip access-group 1 out
interface Serial0
ip address 192.1.2.0 255.255.255.0
access-list 100 deny 192.1.1.0 0.0.0.255 192.1.1.0 0.0.0.255
access-list 100 permit 0.0.0.0 255.255.255.255 192.1.1.0 0.0.0.255
[snip]
- paul
At 10:21 AM 4/30/96 EDT, Steve Benesko/CTI wrote:
>I was wondering if anybody out there knows how to deal with IP spoofing from
>IOS 10.2?
>I know that in version 10.3 some things were changed in the syntax of the
>access-list statements such as the use of log and any operands, and who knows
>what else they stuck in there.
>I have tried (Unsuccessfully) to screen out the attacks by a similar method,
>but the IOS 10.2 doesn't seem to like it very much. There's got to be a
simple
>way of doing this that has been staring me in the face, and I just haven't
seen
>it yet.
>
>BTW- Before telling me to RTFM, I have already gone through the Cisco Pro and
>UniverCD for answers and found very little information to go on. Then again
>Cisco's documentation is almost as bad as IBM's
>
>
--
Paul Ferguson || ||
Consulting Engineering || ||
Reston, Virginia USA |||| ||||
tel: +1.703.716.9538 ..:||||||:..:||||||:..
e-mail: pferguso @
cisco .
com c i s c o S y s t e m s
Follow-Ups:
|
|
