On 2010.06.02 14:04, jack daniels wrote: > Hi Guys, > I'm facing a issue and stuck on a thought process , would appreciate if some > > way you guys can show with your experience in industry - > > ISSUE ---- > > user X spoofs IP ADDRESS OF ISP-A and sends traffic out to internet... > now when traffic is comming back via ISP-A... I want to block such traffic > which is not orignating from my ISP... > but catch here is ---- filtering is to be done in ISP ...so putiing acl for > each users and ports is not scallable..... > Please help with any way out ...
As Roland stated... uRPF on your PE gear on each client-facing interface, and it is *extremely* simple to configure... one single line: ip verify unicast source reachable-via rx I wrote up a much more elaborate example not that long ago that goes much further (includes BOGON filtering and Source/Remote Triggered Black Hole): http://ipv6canada.com/?p=59 Also see: http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html ...and most importantly: http://www.ietf.org/rfc/rfc3704.txt Steve _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/