|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
•Filter customers’ networks so that they can
only send traffic to you which fits within their network blocks. For example, if you have assigned a
customer a network block of 172.16.15.0 with netmask 255.255.255.0, the
following Cisco ACL would keep them from sending source-spoofed packets, as
well as log attempts through your network, when applied to the customer’s
incoming interface:
|
|
access-list 101
permit ip 172.16.15.0 0.0.0.255 any
access-list 101 deny ip any any log
interface Serial1 ! Or the
customer’s incoming interface
ip access-group
101 in
|
|
(Adjust ‘101’ to
your access-list numbering scheme)
|
|
•Protect your network from receiving packets
from external connections with source addresses that should come from
internal machines. For instance, if
you have been assigned the network block of 192.168.1.0 with netmask
255.255.255.0 from your upstream, use the following Cisco ACL:
|
|
access-list 199
deny ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip any any
interface Serial0 ! Our internet
gateway’s interface to the Internet
ip access-group 199 in
|
|
•Protect others by ensuring packets you send out
into external networks are only those from your addresses. For instance, following the second example
above, we would ensure that only packets with source addresses of 192.168.1.x
could exit our network:
|
|
access-list 198
permit ip 192.168.1.0 0.0.0.255 any
access-list 198 deny ip any any
interface Serial0 ! Our internet
gateway’s interface to the Internet
ip access-group 198 out
|