Source address for FXS port

Similar Messages

• Router Source address for ACS Server

  Does anyone know how to configure a router(MSFC in this case so the same ip address is sent to the ACS server for authenticating. The source address may not always be the same depending on the path taken, If the source address isnt an ip address configured for one of my devices the acs server rejects the attempt and the router defaults to local login. I tried settigng a loopback address and always telnetiing to the loopback address however the source address from the MSFC is not the loopback I have 38 vlans, snd i suppose i could configure thoe ip addresses under a device, however if iI add a vlan then I must remember to add that vlan to ACS. Im sure there is a simpler way to address this, I just cant seem to find the configs needed on the MSFC to make it work.
  Any help will be greatly appreciated.
  Thanks

  Hi,
  Sounds like you need:
  ip tacacs source-interface interface-name
  (or ip radius source-interface interface-name)
  It's recommended to use a loopback interface, so this would give you (assuming loopback0):
  ip tacacs source-interface loopback0
  HTH - plz rate if it does
  Andrew.

• How to find MAC address for WAN port for Airport Express 2nd Gen.

  The New Airport Express has a LAN and a WAN ethernet ports. How can I find the MAC address for the WAN ethernet port as my Service Provider needs it for provisioning....I can fid MAC address for Ethernet and for two wireless 2.4 & 5GHz but not for WAN ethernet port using Airport Utility 6.1

  Many thanks for the swift response. However, there is no WAN MAC address on the box or on the device anywhere. I even used magnifying glass to find one .
  The airport utility shows only three mac addresses. One for 2.4GHz, one for 5GHz and one fo the ethernet (LAN port) whereas there is another ethernet port in the device mentioned as WAN port and I am still not able to find the MAC address for the WAN ehternet port for Airport Express (2nd Generation).
  Will appreciate a response to make th device work wiht my service provider as providing them the WAN mac address is a must. Had there been an option for cloning mac address, the issue would have not been there.
  Many thanks again - in advance.

• Dynamically define target address for logical ports (NW'04)

  Hello,
  when developing a web-service client using standalone proxy, you have to define the target address of a Web Service in the property-page for the Logical Port.
  We have the following problem. If, for any reason, the URL of the Web Service changes (i.e. the hostname or the port),  we have to rebuild the whole project and then redeploy the project.
  Is there a way to change this URL dynamically by java-code?
  Thanks in advance,
  Jarle

  Hi,
  You can get Server name Dynamically. You follow the below steps.
  1. Create a HTTP Destination in visual administrator which stores the server name and port.
  2. Access this variable in your controller init method and build your web service url with server name and port and use _setEndPoint() method
  String prefixURL = "http://";
  // your Service Address...remove the first part from service url.
  String serviceURL = "/TestService/Config1?style=document";
  DestinationService dstService = (DestinationService) obj;
  Destination destination = dstService.getDestination("HTTP","ApplicationServer");
  Properties destprop = destination.getDestinationProperties();
  HTTPDestination httpDestination = (HTTPDestination) destination;
  String serverName = httpDestination.getUrl();
  prefixURL = prefixURL + serverName;
  String testURL = prefixURL + serviceURL;
  Request<Obj> testReq = new Request<Obj>();
  testReq._setEndPoint(testURL);
  You need to import below files into your project.
  import com.sap.security.core.server.destinations.api.Destination;
  import com.sap.security.core.server.destinations.api.DestinationService;
  import com.sap.security.core.server.destinations.api.HTTPDestination;
  import java.net.HttpURLConnection;
  import java.util.Properties
  hope it solved your problem.
  Regards,
  Sridhar

• Discovering MAC addresses for Switch ports

  Hello and thanks for looking at my question,
  My company has inherited a network which has some very poor documentation. We really have no clue, nor does the customer, what machines are connected to what switch ports.
  My co-worker and I were discussing the best way to find this out with the least amount of effort, but can't agree on a single solution. Any recommendations would be greatly appreciated.
  Thanks.
  Sincerely,
  Brent

  Brent,
  After you do the 'sho arp' and now have MAC to IP translation, do a 'sho mac-address table' to show MAC to port translation. Save both tables to an Excel spreadsheet and tie them together. You should be able to come up with a good cross reference table (depending upon your Excel skills).
  This also gives you a switch-by-switch breakout. It's also a very helpful troubleshooting method to find rouge devices and shut down a port (for instance).
  Hope this is helpful.
  Jim

• Different Source Address for a SNMP trap paquet

  We use a common platform to manage the CISCO routers for several customers. We are using to manage the devices w/ a loopback address as source of snmp paquet.
  We use something like this ...
  Router(config)#snmp-server host 172.25.1.1 ORATRAP
  Router(config)#snmp-server trap-source loopback0
  Router(config)#end
  Now, there is some customers that request us to receipt the snmp-traps w/ an ip source of their own ip space (192.168.2.x/24).I cannot imagine how this can be achieve?... Please any idea?. Thks. Eduard.

  Thks., for your help. This is important matter to us. We also working in the idea of snmp track collector close to our own NMC... but this may cost also money... . So, we are going to try another approach first..
  Somewhat like this below....
  snmp-server enable traps
  snmp-server informs
  snmp-server source-interface traps
  snmp-server source-interface informs
  snmp-server host traps version 1 community string publicCust
  snmp-server host informs version 2 community string publicBT
  For the get's every MNC sends to the declared IP, so We thing that will use the same IP in answer.
  I will let you know. Eduard.

• Define constant ip addresses for wired ports

  Hi,
  I am using WRT54GL. I got 3 computers and one shared printer - all connected wired to port 1-4 in the router.
  i also got 2 wireless leptops which work fine with the router.
  my problem is that every time i got problems with the elctracity (which turns off the power from the router) the wired computers and the printer got diffrent ip address (which makes alot of work to configure everything in the softwares again).
  how can i set the port manually so i will get address 192.168.1.101 for port 1, 192.168.1.102 for port 2 and co...
  thanks in advance,
  Itay
  Solved!
  Go to Solution.

  Windows IP Configuration
     Host Name . . . . . . . . . . . . : IB-Notebook
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : 00-1A-6B-DF-83-45
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Wireless Network Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Con
  nection
     Physical Address. . . . . . . . . : 00-1B-77-C0-AB-0E
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::64a1:fcbd:3719:19ba%12(Preferred)
     Autoconfiguration IPv4 Address. . : 169.254.25.186(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 218110839
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-1E-FE-2B-00-1B-24-8F-F2-79
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Realtek RTL8101E Family PCI-E Fast Ethern
  et NIC (NDIS 6.20)
     Physical Address. . . . . . . . . : 00-1B-24-8F-F2-79
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::4910:760b:7363:ce99%11(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : יום ראשון 07 מרץ 2010 00:24:20
     Lease Expires . . . . . . . . . . : יום שני 08 מרץ 2010 13:15:01
     Default Gateway . . . . . . . . . : 192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 234887972
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-1E-FE-2B-00-1B-24-8F-F2-79
     DNS Servers . . . . . . . . . . . : 132.72.140.46
                                         212.143.212.143
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter VMware Network Adapter VMnet1:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
  1
     Physical Address. . . . . . . . . : 00-50-56-C0-00-01
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::38ca:a58e:1770:301a%16(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.25.1(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 604000342
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-1E-FE-2B-00-1B-24-8F-F2-79
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter VMware Network Adapter VMnet8:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
  8
     Physical Address. . . . . . . . . : 00-50-56-C0-00-08
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::e14a:775e:6f09:3671%17(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.16.1(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 620777558
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-1E-FE-2B-00-1B-24-8F-F2-79
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{D2B518A4-E21C-4E01-B434-80AAF2559710}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{BEC0399E-731D-48E9-8A2B-CA8B8B15BA4D}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{AFCB73A3-C595-48FD-8E84-9C2FD09C6267}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{785CCA76-47EB-4157-BB66-A396AC292746}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{9C38D982-ECEA-40E9-A6F0-80396D18316B}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes

• Advice about FXS Port configuration for connecting to modems

  Hello all,
  We have not confirm the problem, but we are having reports that analog devices like USR V.92 Modems and Power meters are not connecting or dropping the connection.  We have an ISR 2911 with the 4-port FXS-DID WIC (VIC3-4FXS/DID), configure to an internet SIP truck provider.  The Router is running IOS 15.3(3)M2.  If we connect an analog phone to the FXS port and call, voice is clear.  So the question is what configuration settings should we have for FXS ports and/or dialpeers for connections to modems?  Attached is the current configuration of the router.  
  Do we have to be worried about Codec?  If so which Codec should we configure?
  Any Physical FXS settings should be set?
  Are my DSP setup correctly?  
  Again, I'm at a loss, as voice sounds good and my searches for modem connections to FXS Ports on CUCME is coming up dry.  Any help would be great.  
  As far as the "Power Meters", we are talking substation power meters.  
  Thanks for any advice you can spare and your time,
  Nick

  Hi Amit,
  No problem on the delay.  Your help is very much appreciated.  
  You're losing me a bit.  Because I don't know if your giving me dial-peer 1 as an example.  1 being just a random number.  Or your telling me to change my current dial-peer 1 configuration.  Which is currently a pots dial-peer:
  dial-peer voice 1 pots
  description POTS port 0/1/0
  destination-pattern 111111111
  port 0/1/0
  dial-peer 1000 voip is our outbound call leg.  Sorry call legs are not exactly clear to me yet.  In fact they haven't been in years.  :)  So change my dial-peer to dial-peer voice 1 voip?  
  My other question still unknown to me is should we use:
  fax protocol pass-through g711ulaw
  Even though we are trying to use a modem and not a fax?  Also this command is a dial-peer command and not a global command.  So what global command should i be using?
  Again thank you for your time and help,
  Nick

• FXS Ports & Pickup Groups

  Is there a way to make an analog phone connected to an FXS port a part of a call pickup group that contains both analog phones & IP phones? I setup a lab and used MGCP to add the gateway and I was able to add the DN associated with the FXS port to a call pickup group. However, I am unable to figure out how to answer the call from the analog phone when another IP phone in the call pickup group is ringing.
  Thanks in advance

  Hi
  You are going down the right track with this.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=IP%20Telephony&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dde5372/0#selected_message
  See this other post I made (for a different purpose, but the principal is the same - it just opens up features available to IP phones for FXS ports by registering them using SCCP).
  Regards
  Aaron
  Please rate helpful posts...

• AAA Source addressing

  Is their a way to set the source address for TACACS?
  I have about 170 remote sites that I want to use my ACS server (Ver. 3.3) for Autentication/Authorization. I am using 1918 addressing at the remote locations, and at the corporate office. The ACS server is inside the Corporate network, and I am telnetting to the 10.address inside interface of the router at the remote site. It looks for the tacacs server, but does not find it, and fails back to use the local password.
  I can ping the IP address of the tacacs server doing a ping with the source IP of the Inside ethernet, and the IP address of the loopback, on the remote router.

  OK, 16 pages down in the forum, I finally found my answer.
  Use the command:
  ip tacacs source-interface

• TS1629 Apple destination ip addresses for well known TCP and UDP ports used by Apple software products

  I work for a large enterprise organisation with dual layer firewalls. The Apple article titled "allowing well known ports through the firewall "does not provide enough information on what the destination ip addresses of Apple servers are which host Apple ICloud services.
  Does anyone have information on the destination Apple Ip addresses? So that I can lock down my firewall rules, just so that Apple devices, access Apple services on the Internet.
  Many thanks

  One option is to use "connection-reuse" cli under sip-ua configuration mode.
  sip-ua
    connection-reuse
  This will enable the 7200 to create a connection with source and destination udp port number set to 5060. This feature is available in IOS 12.4(25d) which requires minimum of 256 / 512MB DRAM (depends on the feature set) and flash of 48 MB.

• How do I open ports on my airport extreme and assign a fixed IP Address for a device connected to my network?

  I recently had a security system installed in my house.  One of the features is an EPAD which enables me to have a virtual keypad on my iphone, and computer to operate the alarm system.  The technician was not familiar with Mac's and Airports.  How do I open port 80 to 80 in my airport and assign a fixed IP address for the EPAD?  Apparently this is what is needed to make this work.

  There are three ranges of "strictly local" IP addresses reserved for local Network use:
  192.168.xxx.yyy
  172.16.xxx.yyy
  10.xxx.yyy.zzz
  What your Router does for you is to act as your agent on the Internet.Your requests are packaged up and forwarded on your behalf, and only when a response is expected is the response returned to your local IP address.
  Directing Network Traffic to a Specific Computer on Your
  Network (Port Mapping)
  AirPort Extreme uses Network Address Translation (NAT) to share a single IP address with the computers that join the AirPort Extreme network. To provide Internet access to several computers with one IP address, NAT assigns private IP addresses to each computer on the AirPort Extreme network, and then matches these addresses with port numbers. The wireless device creates a port-to-private IP address table entry when a computer on your AirPort (private) network sends a request for information to the Internet.
  If you’re using a web, AppleShare, or FTP server on your AirPort Extreme network, other computers initiate communication with your server. Because the Apple wireless device has no table entries for these requests, it has no way of directing the information to the appropriate computer on your AirPort network.
  To ensure that requests are properly routed to your web, AppleShare, or FTP server, you need to establish a permanent IP address for your server and provide inbound port mapping information to your Apple wireless device.
  To set up inbound port mapping:
  1) Open AirPort Utility, select your wireless device, and then choose Base Station > Manual Setup, or double-click the device icon to open its configuration in a separate window. Enter the password if necessary.
  2) Click the Advanced button, and then click Port Mapping.
  3) Click the Add button and choose a service, such as Personal File Sharing, from the Service pop-up menu.

• Logon Error:Could not retrieve the source file for Port "Main"

  Hi All,
  We have a port which is blocked due to structural exceptions.When i try to connect to the Exceptions folder
  "Main[Exceptions]" the import manager throws an error "Logon Error:Could not retrieve the source file for port "Main".
  Any help greatly appreciated

  Hi ,
  Thanks for your reply.
  This is what I see in the log file in the exceptions folder
  These are the line I see almost to the end of the log file before they complete field mappings,value addings
            <Failure ts="2008/07/22 00:10:48.326 GMT" tid="1286" entry-no="9114" operation="Create lookups" rc="0x80000001">Illegal value for parameter</Failure>
            <Timer ts="2008/07/22 00:10:48.327 GMT" tid="1286" entry-no="9115" name="Import Lookup" total="0.040819">1</Timer>
            <Trace ts="2008/07/22 00:10:48.327 GMT" tid="1286" entry-no="9116">Import of Lookup Failed.</Trace>
  But when I open the same source xml file after downloading to my local folder from Exceptions Structural folder and load manually using IM i get the status as "Ready to import".
  Any Help greatly appreciated

• Log connection attempts and source IP address for connections that fail/timeout on RADIUS

  How can I log the connection attempts and source IP address for connections that fail RADIUS authentication?  I'm using RD Gateway on 2012 R2 in conjunction with Azure Multi-Factor Authentication Server on another 2012 R2 server.  When a user fails
  multifactor authentication or the authentication times out, all I get is Security event 6273 on the RD Gateway that the radius server did not process the request, and only the radius server's IP is logged.  There's nothing logged in TerminalServices-Gateway\Operational
  because the TS Gateway hasn't yet processed the connection attempt (all auditing options for RD Gateway are enabled).  The MFA/Radius Server is only logging the connection from the TSGateway - it doesn't know the original client's IP address.
  I'm looking for the equivalent of an IIS log - somewhere the RD Gateway should log the initial HTTPS connection attempt and the source IP address of the client.  I need to be able to track down potentially fraudulent login attempts. 

  Hi,
  Thank you for your posting in Windows Server Forum.
  This error might be caused by one of the following conditions:
  •  The user does not have valid credentials
  •  The connection method is not allowed by network policy
  •  The network access server is under attack
  •  NPS does not have access to the user account database on the domain controller
  •  NPS log files or the SQL Server database are not available
  To perform these procedures, you must be a member of Domain Admins.
  Please check for more information:
  Event ID 6273 — NPS Authentication Status
  http://technet.microsoft.com/en-us/library/cc735399(v=ws.10).aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Source ip address for icmp messages not what is expected

  We have a router that has interfaces in multiple VRFs.  One interface sits on an interface that is routed on the Internet.  Other interface sits on a VRF that is in a private address space and is used for WAN connectivity.  The strange behavior that I'm seeing is related to icmp messages coming off the router.  It appears that scanners hitting the Internet-facing interface cause the router to generate icmp messages (type 3) that are source using the IP address of the WAN-facing interface and they are routed across the WAN, into our data center and dropped by our firewall due to anti-spoofing rules.  Is this normal behavior?  Doesn't seem normal to me. Is this behavior something that can be changed via configuration?

  probabaly some body attacking you
  you need inbound access-list in Internet-facing interface.
  and you need to filtr private source addresses classes  A, B, C 
  ip access-list extended InWorld
   deny   ip any 192.168.0.0 0.0.255.255
   deny   ip any 172.16.0.0 0.15.255.255
   deny   ip any 10.0.0.0 0.255.255.255
   permit ip any any
  interface FastEthernet0
   description Internet-facing interface
   ip address 9.2.3.6 255.255.255.252
   ip access-group InWorld in
  later you will see hit counts
  sh access-lis
  here is detailed explanation
  http://www.techrepublic.com/article/prevent-ip-spoofing-with-the-cisco-ios/
  they using more complicated acces-list
  In a typical IP address spoofing attempt, the attacker fakes the source of packets in order to appear as part of an internal network. David Davis tells you three ways you can make an attacker's life more difficult&mdash;and prevent IP address spoofing. 
  As you know, the Internet is rife with security threats, and one such threat is IP address spoofing. During a typical IP address spoofing attempt, the attacker simply fakes the source of packets in order to appear as part of an internal network. Let's discuss three ways you can protect your organization from this type of attack.
  Block IP addresses
  The first step in preventing spoofing is blocking IP addresses that pose a risk. While there can be a reason that an attacker might spoof any IP address, the most commonly spoofed IP addresses are private IP addresses (RFC 1918) and other types of shared/special IP addresses.
  Here's a list of IP addresses—and their subnet masks—that I would block from coming into my network from the Internet:
  10.0.0.0/8
  172.16.0.0/12
  192.168.0.0/16
  127.0.0.0/8
  224.0.0.0/3
  169.254.0.0/16
  All of the above are either private IP addresses that aren't routable on the Internet or used for other purposes and shouldn't be on the Internet at all. If traffic comes in with one of these IP addresses from the Internet, it must be fraudulent traffic.
  In addition, other commonly spoofed IP addresses are whatever internal IP addresses your organization uses. If you're using all private IP addresses, your range should already fall into those listed above. However, if you're using your own range of public IP addresses, you need to add them to the list.
  Implement ACLs
  The easiest way to prevent spoofing is using an ingress filter on all Internet traffic. The filter drops any traffic with a source falling into the range of one of the IP networks listed above. In other words, create an access control list (ACL) to drop all inbound traffic with a source IP in the ranges above.
  Here's a configuration example:
  Router# conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)# ip access-list ext ingress-antispoof
  Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
  Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any 
  Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any 
  Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
  Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
  Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any     
  Router(config-ext-nacl)# permit ip any any     
  Router(config-ext-nacl)# exit
  Router(config)#int s0/0
  Router(config-if)#ip access-group ingress-antispoof in
  Internet service providers (ISPs) must use filtering like this on their networks, as defined in RFC 2267. Notice how this ACL includes permit ip any any at the end. In the "real world," you would probably have a stateful firewall inside this router that protects your internal LAN.
  Of course, you could take this to the extreme and filter all inbound traffic from other subnets in your internal network to make sure that someone isn't on one subnet and spoofing traffic to another network. You could also implement egress ACLs to prevent users on your network from spoofing IP addresses from other networks. Keep in mind that this should be just one part of your overall network security strategy.
  Use reverse path forwarding (ip verify)
  Another way to protect your network from IP address spoofing is reverse path forwarding (RPF)—or ip verify. In the Cisco IOS, the commands for reverse path forwarding begin with ip verify.
  RPF works much like part of an anti-spam solution. That part receives inbound e-mail messages, takes the source e-mail address, and performs a recipient lookup on the sending server to determine if the sender really exists on the server the message came from. If the sender doesn't exist, the server drops the e-mail message because there's no way to reply to the message—and it's very likely spam.
  RPF does something similar with packets. It takes the source IP address of a packet received from the Internet and looks up to see if the router has a route in its routing table to reply to that packet. If there's no route in the routing table for a response to return to the source IP, then someone likely spoofed the packet, and the router drops the packet.
  Here's how to configure RPF on your router:
  Router(config)# ip cef
  Router(config)# int serial0/0
  Router(config-if)# ip verify unicast reverse-path
  Note that this won't work on a multi-homed network.
  It's important to protect your private network from attackers on the Internet. These three methods can go a long way toward protecting against IP address spoofing. For more information on IP address spoofing, read "IP Address Spoofing: An Introduction."
  Is IP address spoofing a major concern for your organization? What steps have you taken to protect the company? Have you used RPF? Share your experiences in this article's discussion.
  and dont forget to rate post