The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
ip unnumbered + uRPF vs ip-spoofing, !*! lucifer, 21-Окт-10, 16:30  [смотреть все]
Добрый день.
Подскажите как защититься от ip-spoofinga?
Схема включения следующая: DSLAM подключен к порту 7506 NPE-G2, каждый абонент живет в своем влане, на циске интерфес побит на сабинтерфейсы для каждого абонента. Подключения как /30 для серых адресов так /32 с ip unnumbered loopback для белых. система мониторинга по flow ежедневно фиксирует ip spoofing, хотя uRPF на интерфейсах включен:

Hardware: Cisco 7206VXR (NPE-G2)
Software: (C7200P-ADVENTERPRISEK9-M), Version 12.4(4)XD12, RELEASE SOFTWARE (fc3)

ip cef

interface Loopback100
ip address xx.xx.xx.1
ip verify unicast source reachable-via rx

interface GigabitEthernet0/2.1554
encapsulation dot1Q 1554
ip address xx.xx.xx.237
ip verify unicast reverse-path
no snmp trap link-status
no cdp enable

interface GigabitEthernet0/2.1555
encapsulation dot1Q 1555
ip unnumbered Loopback100
ip verify unicast source reachable-via rx
no ip redirects
no snmp trap link-status
no cdp enable

sh cef dr
CEF Drop Statistics
Slot  Encap_fail  Unresolved Unsupported    No_route      No_adj  ChkSum_Err
RP      70133161       44839           0   116522479           0      183060

sh cef int lo100      
Loopback100 is up (if_number 12)
  Corresponding hwidb fast_if_number 12
  Corresponding hwidb firstsw->if_number 12
  Internet address is xx.xx.xx.1/32
  ICMP redirects are always sent
  Per packet load-sharing is disabled
  IP unicast RPF check is enabled
  Inbound access list is not set
  Outbound access list is not set
  Interface is marked as loopback interface
  Hardware idb is Loopback100
  Fast switching type 13, interface type 85
  IP CEF switching enabled
  IP CEF Feature Fast switching turbo vector
  IP Null turbo vector
  Input fast flags 0x0, Input fast flags2 0x0, Output fast flags 0x0, Output fast flags2 0x0
  ifindex 10(10)
  Slot -1 Slot unit -1 Unit 100 VC -1
  Transmit limit accumulator 0x0 (0x0)
  IP MTU 1514

sh cef int gi0/2.1554
GigabitEthernet0/2.1554 is up (if_number 1219)
  Corresponding hwidb fast_if_number 367
  Corresponding hwidb firstsw->if_number 3
  Internet address is xx.xx.xx.237/30
  ICMP redirects are always sent
  Per packet load-sharing is disabled
  IP unicast RPF check is enabled
  Inbound access list is not set
  Outbound access list is not set
  Hardware idb is GigabitEthernet0/2
  Fast switching type 1, interface type 27
  IP CEF switching enabled
  IP Flow switching turbo vector
  IP VPN Flow CEF switching turbo vector
  Input fast flags 0x80085027, Input fast flags2 0x8, Output fast flags 0x10004000, Output fast flags2 0x0
  ifindex 4(4)
  Slot 0 Slot unit 2 Unit 1 VC -1
  Transmit limit accumulator 0x0 (0x0)
  IP MTU 1500

sh cef int gi0/2.1555
GigabitEthernet0/2.1555 is up (if_number 1220)
  Corresponding hwidb fast_if_number 1309
  Corresponding hwidb firstsw->if_number 3
  Internet address is
  Unnumbered interface. Using address of Loopback100 (xx.xx.xx.1)
  ICMP redirects are never sent
  Per packet load-sharing is disabled
  IP unicast RPF check is enabled
  Inbound access list is not set
  Outbound access list is not set
  Hardware idb is GigabitEthernet0/2
  Fast switching type 1, interface type 27
  IP CEF switching enabled
  IP Flow switching turbo vector
  IP VPN Flow CEF switching turbo vector
  Input fast flags 0x80085027, Input fast flags2 0x8, Output fast flags 0x10004000, Output fast flags2 0x0
  ifindex 4(4)
  Slot 0 Slot unit 2 Unit 1 VC -1
  Transmit limit accumulator 0x0 (0x0)
  IP MTU 1500

Inferno Solutions
Hosting by

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру