spoofing question.....

**DannyW** · 3 Weeks Ago

Hi all. R77.30 \ gaia. Distributed environment - 15 sites, each with a CP 4000 appliance cluster.

Each site has a single port MPLS solution which provides any-to-any connectivity to all of our other sites (private), and internet connectivity. In order to accomplish the two separate paths, we have 2 tagged VLANS . Based on destination, our gateway will tag and hand-off to a specific provider gateway. So.. on the VLAN interface for MPLS traffic, i have spoofing set to "internal", and for the internet VLAN, spoofing is set to "external". Everything works great, no problems.

But wait... After doing this for about 7 years, our provider is forcing us into their "newer" solution. They are removing the two VLAN scenario, and will handle all routing based on destination from one gateway. There will be one physical interface to the outside world - private and public, so there would be only one route per gateway, the 0 default. Since there could be public or private source\destinations behind that one physical interface, it seems like i'll have to turn spoofing off for it? Or am i missing something?

thanks

Danny

**mcnallym** · 3 Weeks Ago

External in Topology is simply saying that this is where IP addresses that not specified on another interface will be permitted as source

As the MPLS Traffic not specified on another interface then would match the External.

Internal simply allows you to set a specified ip address's permitted as source through there.

DMZ is there for the Threat Prevention Blades

NO need to turn spoofing off.

**jflemingeds** · 3 Weeks Ago

Doesn't antispoofing require 2 interfaces? Not sure if sync counts in that list or not.

How does the routing look? Still just one default route?

**DannyW** · 3 Weeks Ago

Originally Posted by jflemingeds

Doesn't antispoofing require 2 interfaces? Not sure if sync counts in that list or not.

How does the routing look? Still just one default route?

Yep, one route - default, pointing to the provider and they would handle site to site routing in addition to the internet. In the current config, i have the the interface that is set to the MPLS vlan set to internal, populated with a group of networks that are at every other private MPLS site. in the next gen config, setting that MPLS\Internet interface to external sure makes things simpler