Please note that applying an access list on a Cisco may have a performance impact. You should monitor the CPU and Memory usage before and after applying the filters to determine the impact. You can use the "show proc cpu" command to do this.

access-list 1xx permit ip <Network-Base-Address> <Hostmask> any
access-list 1xx deny ip any any log

Please refer to the CIDR Table for help on the Network Base Address and the Hostmask.

This access list will prevent packets being sent from your network with any Source IP Address other than your network.

For customers that have more than one connection to the internet, this would be applied outbound on any interface connected to the Internet.

Placing the ACL on interfaces toward the internet. In the following example the link to the internet is Serial0.1.

external-gw#show ip interface brief
Interface          IP-Address      OK? Method Status        Protocol
Ethernet0          192.168.2.1     YES NVRAM  up            up
Serial0            unassigned      YES unset  up            up
Serial0.1          192.168.1.1     YES unset  up            up
Serial1            unassigned      YES unset  down          down
external-gw#
         

The network is 192.168.1.0 255.255.255.0. We want to create an access list that will permit traffic from any host within the 192.168.1.0/24 network and drop all other traffic.

To see if access list 150 is already defined, enter the following router commands:

external-gw#sh access-list 150
external-gw#

If there was an access list it would have shown up here.

If 150 already exists, simply choose a 1NN number that is not in use: 160, 165, etc. Substitute the number you choose in the configuration examples below.

Now we want to make sure that the serial interface does not have an access-list applied outbound.

external-gw#show ip interface serial0.1
Serial0.1 is up, line protocol is up
  .
  .
  .
  Outgoing access list is not set
  .
  .
  .
external-gw#

You should see the line "Outgoing access list is not set". If not, you already have an outbound access list, and you will need to see your firewall administrator for help. The anti-spoofing rules can be applied to an existing outbound access list, but care needs to be taken not to interfere with the existing rules. If you do not have an existing outbound access list, then you can now create access-list 150 and apply it outbound on the interface connected to the ISP (in this example it is serial0.1).

external-gw#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
external-gw(config)#

Once you are at the (config) prompt, you can "cut-and-paste" the access-list into the router. You need to either create an access list to only allow traffic with source addresses belonging to your network as described in Step 1.1, or you can "cut-and-paste" the access-list to deny private and reserved addresses as described in Step 1.2.

Once you have created the access-list you need to apply it to the interface.

external-gw(config)#interface serial0.1
external-gw(config-subif)#ip access-group 150 out
external-gw(config-subif)#^Z
external-gw#write
Building configuration...
[OK]
external-gw#

Example Anti-Spoof Access List

You need to replace the network and hostmask with your network information. Then you can "cut-and-paste" the access list at the (config) prompt as described above.

no access-list 150
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 deny ip any any log

Access List to Deny Private & Reserved Source Addresses

If you are implementing Step 1.2, you can "cut-and-paste" the following access list at the (config) prompt as described above.

no access-list 150
access-list 150 deny ip 0.0.0.0          0.255.255.255   any
access-list 150 deny ip 10.0.0.0         0.255.255.255   any
access-list 150 deny ip 127.0.0.0        0.255.255.255   any
access-list 150 deny ip 169.254.0.0      0.0.255.255     any
access-list 150 deny ip 172.16.0.0       0.15.255.255    any
access-list 150 deny ip 192.0.2.0        0.0.0.255       any
access-list 150 deny ip 192.168.0.0      0.0.255.255     any
access-list 150 deny ip 224.0.0.0        15.255.255.255  any
access-list 150 deny ip 240.0.0.0        7.255.255.255   any
access-list 150 deny ip 248.0.0.0        7.255.255.255   any
access-list 150 deny ip 255.255.255.255  0.0.0.0         any
access-list 150 permit ip any any

The "log" at the end of the deny statement in the access list, will log any packet that is sent with a source address other than the ones permitted by the previous statement.

After the access list is applied to the interface, the command "show ip access-list <list>" will display counters for each access expression. Confirm that the counter for the expression to pass your address block is incrementing.

If it is necessary to remove the access list due to an error, use the interface command "no ip access-group 150 out" to remove it and confirm with "show ip int <interface>".

Never change the access lists on the router interface you are using to configure the router. Either remove the access-group first, or configure the router via the serial console interface. If you do not remove the access-group from the interface first, you will cause a momentary outage while installing the new access list and may disable all traffic through the interface if you make an error, plus inadvertently disconnect your telnet terminal session from which configuration changes are being made!