There isn't a simple knob, but then it isn't simple to know what a forgery is. You to have tell the router.
That's what routing protocols are for, right? :-) I thought I had read on cisco-nsp that 11.1CC implemented the long-discussed feature of not accepting packets from an interface unless the router held a route for the source address of that packet back out that interface, but I can't find that message now. I wonder what that does to forwarding rates on VIP2s and 12000s.
Or, another perhaps better way is to only accept packets from your customer networks which are sourced from those networks. Each customer interface then has an inbound filter the blocks everything not sourced from your customers network.
As I told Jay, we have modified our RADIUS server to do exactly this on the fly for 3com NETservers, 3com HiPer ARCs, and Bay 5399/8000s (and probably any other Annexish box with RADIUS support). This is great until you accept routing information from one of your downstreams. One might argue that you shouldn't peer (or listen to RIP or OSPF) from a network that'll carry spoofed packets, but I don't think that's practicable for the Internet of today. Not all the equipment is capable, not all the operators are clueful, and there aren't enough incentives to change that overnight. I won't even touch the issue of "legitimate spoofing" which rears its ugly head in the telco return satellite and cable modem scenarios. Strict asymmetry does make things more complicated. regards, -- Robert