1. Router:
   1. A networking device that forwards packets at Layer 3 of the OSI model, the Network Layer.
   2. Routers have the ability to filter traffic and make forwarding decisions based on Layer 3 addresses (IP addresses).
2. ACLs
   1. Access Control Lists (ACLs) can be set up on a router to further filter IP address traffic, based on specific permit and deny statements given to it by the system administrator.
   2. While a router can act as a firewall, a dedicated hardware device should perform these functions separately.
3. Anti-Spoofing
   1. Implement ACLs
      1. Block IP Addresses
         1. The first step in preventing spoofing is blocking IP addresses that pose a risk.
         2. While there can be a reason that an attacker might spoof any IP address, the most commonly spoofed IP addresses are private IP addresses (RFC 1918) and other types of shared/special IP addresses.
         3. Block these IP address ranges inbound on your perimeter routers:
            1. 10.0.0.0/8
            2. 172.16.0.0/12
            3. 192.168.0.0/16
            4. 127.0.0.0/8
            5. 224.0.0.0/3
            6. 169.254.0.0/16
            7. RFC 1918 Private IP Addresses
            8. Special Use IP Addresses
      2. Configuration example:
         1. Router# conf t
         2. Enter configuration commands, one per line. End with CNTL/Z.
         3. Router(config)# ip access-list ext ingress-antispoof
         4. Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
         5. Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
         6. Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
         7. Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
         8. Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
         9. Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
         10. Router(config-ext-nacl)# permit ip any any
         11. Router(config-ext-nacl)# exit
         12. Router(config)#int s0/0
         13. Router(config-if)#ip access-group ingress-antispoof in
      3. Internet service providers (ISPs) must use filtering like this on their networks, as defined in RFC 2267.
      4. Notice how this ACL includes permit ip any any at the end. In reality, you would probably have a stateful firewall inside this router that protects your internal LAN.
      5. Keep in mind that this should be just one part of your overall network security strategy.
   2. Use Reverse Path Forwarding (ip verify):
      1. RPF works much like part of an anti-spam solution.
      2. RPF receives inbound packet traffic inspects the source address, and performs a recipient lookup on the sending server.
      3. If the sender doesn't exist, the server drops the e-mail message
      4. Configuration example:
         1. Router(config)# ip cef
         2. Router(config)# ipv6 cef
         3. Router(config)# int serial0/0
         4. Router(config-if)# ip verify unicast reverse-path
         5. Router(config-if)# ipv6 verify unicast reverse-path