Examples of route selection and antispoofing definitions
There are several considerations to take into account when configuring routing and antispoofing.
The more specific destination is considered first in routing
- 1
- Traffic with a destination address from 192.168.8.0/24 is routed through router2 because it is the most specific route to those destinations.
- 2
- All other traffic with a destination address from 192.168.0.0/16 is routed through router1 because it remains the most specific route to those destinations.
- 3
- Interface 1 is directly connected to the 192.168.11.0/24 network. Traffic with a destination address from 192.168.11.0/24 is routed there because it is the most specific route to those destinations.
- 4
- Traffic with a destination address of 192.168.8.111 is routed through router 3 because host-111 (192.168.8.111) has the most specific address.
Only the most specific destination is considered valid in antispoofing
If an interface receives a packet with a source address that is not a valid address for the networks connected to that interface, the packet is discarded. This is the case, for example, when an external interface receives a packet with an internal source. The Engine selects the most specific antispoofing definition it finds for each packet. The following antispoofing configuration is based on the previous routing example.
- 1
- Traffic from host-111 (192.168.8.111) is discarded if it originates from Interface 0 because it has the less specific definition for that address (network 192.168.8.0/24).
- 2
- Traffic from host-111 (192.168.8.111) is only considered valid if it originates from Interface 1 because it has the most specific route to the address of the host.
Both interfaces are valid because they are equally specific
- 1
- Both Interface 0 and Interface 1 are considered valid sources for host-111 (192.168.8.111) because the Host element is beneath both interfaces. The plus sign on the host on Interface 0 indicates that the host was manually added to the configuration. Traffic can originate from both Interface 0 and Interface 1.