0

I understand that a BVI is very much equivalent to a network switch. But it includes the benefit of being able to have an access control list.

I am doing this, but I would like to more effectively distinguish incoming vs outgoing. Right now, all I have to go on is the IP address.

How can I add a protection against IP spoofing? I would like to prevent someone on the WAN port (FastEthernet4) from using one of the IP addresses that are only supposed to exist the LAN port.

700 Software
  • 2,163
  • 9
  • 47
  • 77

1 Answers1

0

Apply inbound filters on the physical device that is bridged by the BVI.

bridge irb
!
interface WAN INTERFACE
 no ip address
 bridge-group 1
 ip access group 101 in
!
interface BVI 1
 IP CONFIG GOES HERE
!
bridge 1 route ip
!
access-list 101 deny   ip YOUR IPS any log
access-list 101 permit ip any any
David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • It didn't work. For some reason I was not able to stop an IP using `access list 101 deny ip host ??.??.??.?? any`. That outside IP was still able make TCP connections with the servers on the LAN ports. Any idea why? – 700 Software Nov 15 '11 at 23:14