I forgot something very basic. Looking to setup some IP Spoofing measures. Have been buried pretty deep in Windows Server environment and looking at IP spoofing protection with our Meraki MX FW and I forgot a concept of general routing/switching.
PC/Guest APs --> L3SWITCH ----(Tagged port)-> FW -> ISP RTR
Right now we have our core switch operating at L3 and is the default gateway. This will then push the traffic from 3x different vlans to the FW. In order to setup IP Spoofing a requirement when device is using Nat is as such:
- The source IP address is reachable through a configured static route or local VLAN
- If the source IP address is contained within a configured VLAN, the source VLAN must match the configured VLAN ID for the source IP's subnet
- If the source IP address is contained within a configured static route, the source VLAN must match the VLAN ID for the subnet that the next hop IP of the static route is accessible through
I completely forgot what happens to a packet at the GW switch in this type of structure and how it's tagged when it gets the to FW. I feel like it could complicate things. Left the Switch as the gateway so we could have better lower level control, was this a bad idea?
TL;DR - Core switch is the Default gateway, passes traffic to the FW from local vlans. Forgot how that traffic looks when it arrives at the FW and how it's tagged. Looking to setup some IP Spoofing preventative measure.
No comments:
Post a Comment