Cisco IP Access List Basics - Block Spoofing and Smurfing

A Cisco router that sits between a private network and the public Internet should always block packets from certain source IP addresses. As specified in RFC 1918, certain IP address ranges have been reserved for private networks. These address ranges can not be routed from the Internet, and should be blocked from entering an internal private network.

! Sample anti-spoofing Cisco configuration

! Block Private Address Space
access-list 100 deny ip any log
access-list 100 deny ip any log
access-list 100 deny ip any log
! Block Autoconfiguration Space
access-list 100 deny ip any log
! Block Loopback Space
access-list 100 deny ip any log
! Block Multicast
access-list 100 deny ip any log
! Allow All Other Traffic
access-list 100 permit ip any any
! Add the following to the external interface
! Ex. interface fastethernet0/0
ip access-group 100 in

The following are the three designated private address ranges: -     netmask (10.x.x.x/8) -   netmask (172.16.x.x/12) - netmask (192.168.x.x/16)

The following range is reserved for autoconfiguration: - netmask (169.254.x.x/16)
Autoconfiguration kicks in on certain Macintosh and IBM PCs running recent operating systems. If a host is not assigned a hardcoded IP address and cannot acquire one via DHCP, it will generate a random IP address between and

Another range to consider is the loopback range: - netmask (127.x.x.x/8)
A host uses a loopback address to refer to itself. The most commonly used loopback address is, but any address within the entire range is valid as a self-referencing address.

The following range is used exclusively for multicasting: -
Multicast addresses are used to send traffic from one host to several hosts within a private network. These broadcast packets should also be blocked from the outside.