Professional Documents
Culture Documents
Implementing RFC 2827 Anti-Spoofing Filtering
Implementing RFC 2827 Anti-Spoofing Filtering
Implementing RFC 2827 Anti-Spoofing
Filtering
Last updated: May 3, 2013
Task
You own the network of 136.1.0.0/8; ensure bidirectional RFC2827 filtering on R3's connection to
ASA4.
Each security policy violation should be logged.
Configure the router so that when viewing a log message, you can identify the name and line of the
access-list from which it was generated.
Overview
RFC 2827 defines a filtering mechanism based on your internally assigned IPv4 address space, to
ensure a basic form of security. Traffic leaving your network should have source IPv4 addresses only
from your address space, and traffic entering your network should have any source IPv4 addresses
except the ones you own. Usually these filters are applied at the edge of the network, so that it
doesn't impact your internal network traffic but still drops inbound spoofed traffic as soon as
possible.
Syslog messages can be tagged using router random-generated MD5 hash values, or user-defined
cookies. The advantage of cookies is that you can specify a more meaningful tag value, such as
matching the access-list name and the access-list entry to help you on troubleshooting scenarios.
Note that user-defined cookies take precedence over router MD5-hash-generated values; if both
options are configured, there will be no MD5-hash-generated value for access-lists with cookies.
Configuration
R3:
ip access-list extended RFC2827_IN
deny ip 136.1.0.0 0.255.255.255 any log RFC2827_IN_LINE1
permit ip any any
!
ip access-list extended RFC2827_OUT
permit ip 136.1.0.0 0.255.255.255 any
deny ip any any log RFC2827_OUT_LINE2
!
interface FastEthernet0/0.143
ip access-group RFC2827_IN in
ip access-group RFC2827_OUT out
!
ip access-list log-update threshold 1
Verification
Verify that the access-list is applied correctly inbound on R3's interface.
Ensure that non-conforming packets are logged and messages are tagged using the access-list
name. For this, we generate packets from the SW1, sourced from the internal 136.0.0.0/8 IPv4
address range.
Rack1SW1#ping 172.1.143.3