Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader

VSX, anti spoofing and dynamic routing

I was checking sk32500 - Anti-spoofing on VSX (static and dynamic) in order to manage anti-spoofing on a VSX which has switched from static to dynamic routing and enforce anti-spoofing.

 

Steps so far:

 

  • Dynamic routing enabled and working
  • Disable "Calculate topology automatically based on routing information" at the VS level
  • Edit the relevant interface and select "Internal - Defined by routes" for the topology
  • Set the anti-spoofing to Detect for initial verification

 

But then, sources coming from the interface which match prefixes received by the dynamic routing protocol on that interface are flagged as anti-spoofing with the yellow shield as we are in detection mode.

So if a prefix on interface bond10.20 is learnt as 10.1.1.0/24, we see for instance 10.1.1.1 flagged as spoofed with direction incoming on that interface in the logs.

We are probably missing something, but what? Any tips are welcome.

CP appliances, R81.10 Take 150.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I suggest doing a kernel debug on the VS to see what the actual reason is for the drop.
TAC may be necessary to investigate this further.

# Step 1: Determine the VSID
vsx stat -v

# Step 2: Allocate Kernel Debug Buffer
fw ctl debug -buf 32768 -v <VSID>

# Step 3: Enable Debug Flags for Anti-Spoofing
fw ctl debug -m fw + drop -v <VSID>

# Step 4: Start Capturing the Debug Output
fw ctl kdebug -T -f -v <VSID> > /var/log/debug.txt

# Step 5: Replicate the Issue
# Perform the actions that trigger the anti-spoofing mechanism

# Step 6: Stop the Debugging
# Press Ctrl+C in the terminal where fw ctl kdebug is running

# Step 7: Analyze the Debug Output
# The debug output will be saved in /var/log/debug.txt

 

Lesley
Mentor Mentor
Mentor

Just to make sure, is there no 10.1.1.0/24 hidden in the anti-spoofing group behind a different interface then bond10.20?

Sometimes I see customers that for example define 10/8 behind interface X and smaller subnet 10.0.0.0/24 behind interface y.

Do you get my point? For now work around is do disable AS and put the network in the option: "Do not check packets from": and add there the group with network. Hope that helps

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events