If you're an enterprise, chances are your ISP may have already blocked some or all private addresses from the internet.
But you should also block the IP subnets assigned to you by your ISP, if you see that IP coming in, then somone is spoofing your IP.
For security, it's best to block all RFC 1918 and you many want to block others as well.
Below is what I use:
access-list 199 deny ip 10.0.0.0 0.255.255.255 any
access-list 199 deny ip 127.0.0.0 0.255.255.255 any
access-list 199 deny ip 172.16.0.0 0.15.255.255 any
access-list 199 deny ip 169.254.0.0 0.0.255.255 any
access-list 199 deny ip 192.0.2.0 0.0.0.255 any
access-list 199 deny ip 192.168.0.0 0.0.255.255 any
access-list 199 deny ip 224.0.0.0 0.0.0.255 any
access-list 199 deny ip 239.0.0.0 0.255.255.255 any
access-list 199 deny ip host 255.255.255.255 any
access-list 199 deny ip YOUR-SUBNET-HERE 0.0.0.31 any --- This should be the IP Subnet assigned to you by your ISP. You don't want to see the originator's IP is your own IP.
access-list 199 permit ip any any --- This permits everything else.
Now apply this access list to the interface facing or connecting to your ISP.
interface Serial0/1/0
ip address 29.6.11.261 255.255.255.252
ip access-group 199 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
no cdp enable
You want to apply the access-list 199 to inbound traffic.
Done.
No comments:
Post a Comment