Recent versions of IOS support a cool feature: "ip verify unicast source reachable-via any" which can be installed on interfaces. This will silently drop (assuming you're using cef) packets sourced from prefixes that you do not have a route for. ie: if you don't have 10/8 in your routing table, and someone sends you a packet sourced from 10.0.0.3 it will get dropped. that will drop all your rfc1918 space (with the obvious caveat of if you route it) at the edge or in the core easily. as for non-packet filters, i defer to the plethora of threads - jared On Tue, Oct 09, 2001 at 07:58:19AM -0700, Grant A. Kirkwood wrote:
Not to beat an already-decaying horse, BUT...
I'm currently in the process of setting up a new border router, and the recent debate on the above topic got me wondering what the best practice filtering policy is? Is there one?
And what do people put in place in terms of anti-spoofing ACLs and such? There's a wealth of information on these topics, but no real consensus.
Or am I just reopening an ugly can of worms here?
TIA,
-- Grant A. Kirkwood - grant@virtical.net Chief Technology Officer - Virtical Solutions, Inc. http://www.virtical.net/
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.