Use of ACL's to mitigate the risk of IP Spoofing

Consider this ACL used for protection against IP Spoofing:

Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip access-list ext ingress-antispoof
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any

This incoming ACL would be placed to on the outside int to prevent IP Spoofing.

What's the use of this ACL if IP is already implicitly denied? Other than saving router resources.

This questioned has been in my head for months and I still dont know the answer. I did pass the CCNA-S test without the answer though.

These ACL's are usually applied to wan interfaces, which *should* have a public IP address.

Therefore, unless you are addressing the inside of your network with a public IP Range, you will be using one of the ranges specified in the ACL, and NATing from inside to out.

So, working on the assumption that your wan interface has a public IP address, and the ranges in the ACL cannot be routed on the public network (i.e. the internet) you should never see this traffic, unless it is malicious.

The below is a copy from one of my edge ACL's, the counters were only reset yesterday, and i'm already seeing hits

110 deny ip 10.0.0.0 0.255.255.255 any
120 deny ip 172.16.0.0 0.15.255.255 any
130 deny ip 192.168.0.0 0.0.255.255 any (6 matches)
140 deny ip 127.0.0.0 0.255.255.255 any


Hope that helps, any questions drop me a PM or something

Yes, that helps jamieP. Thanks.

Since you block all RFC1918 on the outside int., did you permit all IP behind your deny statements?

ok like someone just told you, this rule is usually applied on the wan interfaces in the ingress direction.
If you look at the addresses denied you will notice they all belong to private address classes and the last being a microsoft default dhcp address.
Those address are usually referred to as martian addressess, you dont expect them to come from a wan interface i.e from the internet/outside of your network. they are supposed to originate from the inside of your network instead.
Therefore is someone from outside your network is trying to hack you, they will pretend to come from inside your network so that you allow them in when in real sense they are coming from the outside network.
That is why you block these addresses so as no one will try to confuse your network device even if there is an implicit deny statement.
Another option is to use the command

Router (config)#ip inspect name BLOCKOUT
Router (config)#ip access-list extended BLOCKOUT

then configure the ACLs to block the addressess
This will allow incoming packets only if they are replies to what originated from your inside network.

I hope this helps abit.

Yes, that helps jamieP. Thanks.

Since you block all RFC1918 on the outside int., did you permit all IP behind your deny statements?

I certainly dont have a permit all, there are lots of other rules to allow in some TCP/UDP ports, rules to allow services such as DNS, NTP, IPsec etc...

For obvious security reasons i wont post my whole ACL, but the last two rules are;

[code:1] remark ~~ TCP Established Permit ~~
permit tcp any any established
remark ~~ Deny Any ~~
deny ip any any log[/code:1]

I cant imagin a situation where you would permit any any on an ingress ACL on your WAN interface

I actually did some research on this and I dont think this type of ACL is needed on an outside int because of the implicit deny all.

However, these ACL statements can be used on the inside int to prevent spoofing.