In preparation of your CCNA Security 640-553 exam, we want to make sure we cover topics that you are very likely to encounter on your Cisco CCNA exam. So to assist you, below we will discuss Configuring IP ACLs to prevent IP address spoofing using CLI.

Spoofing IP datagrams is a well-known problem that has been addressed in various research papers. Most spoofing is done for illegitimate purposes—attackers usually want to hide their own identity and somehow damage the IP packet destination. This article discusses ways of spoofing IP datagram’s, various attacks that involve spoofed IP packets, and techniques to detect spoofed packets and trace them back to their original source; spoofing concerns for IPv6 are briefly addressed.

IP Spoofing techniques are a means to obtain unauthorized access to computer technology, that is, the attacker through the pseudo-IP addresses to send information to the computer and displays the information from the real host. Cause pseudo-IP technology has a variety of attack types, as follows:

IP spoofing is a difficult problem to tackle, because it is related to the IP packet structure. IP packets can be exploited in several ways. Because attackers can hide their identity with IP spoofing, they can make several network attacks. Although there is no easy solution for the IP spoofing problem, you can apply some simple proactive and reactive methods at the nodes, and use the routers in the network to help detect a spoofed packet and trace it back to its originating source.

Spoofing Mitigation Spoofing Attack

Learn these, we look at how to cisco router configured with ACL

First visit to the definition of ACL rules, examine the address above,

IP Address Spoofing Mitigation: Inbound

R1 (config) # access-list 150 deny ip 10.2.1.0 0.0.0.255 any log
R1 (config) # access-list 150 deny ip 0.0.0.0 0.255.255.255 any log
R1 (config) # access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
R1 (config) # access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
R1 (config) # access-list 150 deny ip 192.168.0.0 0.0.255.255 any log
R1 (config) # access-list 150 deny ip 224.0.0.0 15.255.255.255 any log
R1 (config) # access-list 150 deny ip host 255.255.255.255 any log
R1 (config) # access-list 150 deny ip any 10.2.1.0 0.0.0.255

/ / Into the interface called ACL, then the application of

R1 (config) # int e1 / 0
R1 (config-if) # ip access-group 150 in
R1 (config-if) # exit

// IP Address Spoofing Mitigation: Outbound

R1 (config) # access-list 105 permit ip 10.2.1.0 0.0.0.255 any
R1 (config) # access-list 105 deny ip any any log

R1 (config) # int f0 / 0
R1 (config-if)# ip access-group 105 in
R1 (config-if)# exit

4.4    Discuss the caveats to be considered when building ACLs

Create access lists for each protocol you wish to filter, per router interface. For some protocols, you create one access list to filter inbound traffic, and one access list to filter outbound traffic.

The protocols for which you can configure access lists are identified in and (following).

To create an access list, you specify the protocol to filter, you assign a unique name or number to the access list, and you define packet filtering criteria. A single access list can have multiple filtering criteria statements.

When configuring access lists on a router, you must identify each access list uniquely within a protocol, by assigning either a name or a number to the protocol's access list.

Access lists of some protocols must be identified by a name, and access lists of other protocols must be identified by a number. Some protocols can be identified by either a name or a number. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.

The Implied "Deny All Traffic" Criteria

At the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked.

For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list.

The Order in Which You Enter Criteria

Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.

The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.

If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

Creating and Editing Access List Statements on a TFTP Server

Because the order of access list criteria statements is important, and because you cannot reorder or delete criteria statements on your router, Cisco recommends that you create all access list statements on a TFTP server, and then download the entire access list to your router.

To use a TFTP server, create the access list statements using any text editor, and save the access list in ASCII format to a TFTP server that is accessible by your router. Then, from your router, use the copy tftp:file_id system:running-config command to copy the access list to your router. Finally, perform the copy system:running-config nvram:startup-config command to save the access list to your router's NVRAM.

Then, if you ever want to make changes to an access list, you can make them to the text file on the TFTP server, and copy the edited file to your router as before.

The first command of an edited access list file should delete the previous access list (for example, type a no access-list command at the beginning of the file). If you do not first delete the previous version of the access list, when you copy the edited file to your router you will merely be appending additional criteria statements to the end of the existing access list.

Applying Access Lists to Interfaces

For some protocols, you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list which checks both inbound and outbound packets.

If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

Access lists that are applied to interfaces do not filter traffic that originates from that router.

I hope you found this CCNA Security 640-553 article to be of use and it helps you prepare for your Cisco CCNA certification. Achieving your CCNA certification is much more than just memorizing Cisco exam material. It is having the real world knowledge to configure your Cisco equipment and be able to methodically troubleshoot Cisco issues. So I encourage you to continue in your studies for your CCNA exam certification.