Vro configuration is mainly used to debug the vro, making it more convenient and convenient for future use. According to RFC 2267, Internet service providers (ISPs) must use a filter similar to this type on the network. Note that the ACL at the end contains the permit ip any. In the "real world", you may have a stateful firewall stateful fireful In the router configuration, which can protect your internal LAN.
Of course, you can go further in this aspect, that is, filter all inbound information from other subnets in the Intranet to ensure that no one spoofs IP addresses from other subnets in one subnet. You can also implement an outbound ACL to Prevent Users on your network from impersonating IP addresses of other networks. But remember that this is only one aspect of the entire network security policy.
Forward the reverse path forwarding using the reverse path, that is, IP address verification)
Another way to avoid IP Address Spoofing is to use reverse path forwarding RPF) or IP address verification. In Cisco IOS, the reverse path forwarding command starts with ip verify. RPF works very similar to anti-spam solutions. After receiving the email message, the anti-spam solution first proposes the source email address, and then queries the sending server to check whether the sender actually exists on the sending server. If the sender does not exist, the server discards the message because it cannot reply to the message, and it is generally a spam message.
RPF performs similar operations on data packets. It receives a data packet from the Internet, retrieves the source IP address, and then checks whether the route table in the router configuration contains the route information of the data packet. If the router configuration information returned for data is not in the routing table, it is very likely that someone has forged the data packet, so the route will discard it. The following describes how to configure RPF on a vro:
Router (config) # ip cef
Router (config) # int serial0/0
Router (config-if) # ip verify unicast reverse-path
Note that this does not work for multi-homed networks. It is important to protect private networks from attacks from the Internet. These three methods are already very effective in defending against IP address spoofing.