Alexander Bauer

Anti spoofing Yes or No

Discussion created by Alexander Bauer on Dec 21, 2018
Latest reply on Dec 25, 2018 by Alexander Bauer

Hello together 
On many Labs as well for the CSSA Lab i have seen the configuration Example that allways onyl one Nework is connected to a seperate  Interface on the Firewall like the following Example.

Vlan 2 Network default Gateway ist Interface G0/1 on Firewall (DMZ1)
Vlan 3 Network default Gateway ist Interface G0/2 on Firewall (DMZ2)

Vlan 10 Network default Gateway ist Interface G0/0 on Firewall (Management)

The Physical Eviorment is a PC who have 8x Networks Port on it, (using Vmware Worksation, with Hostbased Connection to the Layer 3 Switch, ever Port is on a seperate Vlan, like VLAN2, 3 and 10.
The default Route on the Firewall is to Interface Outside Address from the ISP.
If I rember well until Anti Spoofing is enabled on the Managment Interface of the FIrewall he will only acept Traffic from this Network in this Exapmle and not from the other Networks like and

No Traffic will go to the Internet or between the DMZ Networks, as well Antispoofing is disabel on the other Interaces.
On my Laver 3 Switch I have configure all SVI (Switch Virtuel Interfaces ) with x.x.x.253/24 who have a default Route to Managment Interface of the Firewall.
Maybe the Picture 1 on the Attachment explane the Situation easyer.
What is now the Question.
Can the Traffic only pass when Anispoffing is disable beween the DMZ and Managment Interfaces ?
Or is the Traffic blocked until the Objects (Networks) and Policys are in place?

Best regards