IP Spoofing on our internal LAN

[clarkeyi]

I have a queastion regarding multiple subnets on our LAN. We have the original 100.x network on our LAN and now we have added a 10.x network. When I create a rule for 10.x traffic to pass through our firewall it drops the rule with IP spoofing error messages. I can understand this but is there any way to allow the 2 subnets to be allowed through our internal interface which is configured to only allow 100.x in the topology settings?

Thanks

[abusharif]

1) create a group
2) Insert your local networks into this group (objects for 100.x net and 10.x)
3) Edit your gateways topology/antispoofing settings on your internal interface and set this group you created as object
4) install policy

[clarkeyi]

Thanks for the advice

[fdamstra]

Quote:

Originally Posted by clarkeyi

I have a queastion regarding multiple subnets on our LAN. We have the original 100.x network on our LAN and now we have added a 10.x network. When I create a rule for 10.x traffic to pass through our firewall it drops the rule with IP spoofing error messages. I can understand this but is there any way to allow the 2 subnets to be allowed through our internal interface which is configured to only allow 100.x in the topology settings?

It would be far better to separate your traffic into separate vlan's and use subinterfaces on your firewall. This requires that you have a decent managed switch, but would decrease the size of the broadcast domain.

Having two subnets on a single VLAN is not best practice. It's not scalable, offers no security, and can (in some rare circumstances) actually cause problems. Best to separate your L3 traffic into different L2 domains.