This is an old revision of the document!
Below is a Dedicated Drop ACL to put on your perimeter L3 device. “dirty side”
ip access-list extended DropACL permit icmp any any traceroute permit icmp any any echo-reply ! remark *******Block Routing Protocols******* deny ospf any any deny eigrp any any remark *******Block Mgmt Services******* deny udp any any eq bootpc deny udp any any eq bootps deny udp any any eq snmp deny tcp any any eq snmp deny udp any any eq syslog deny tcp any any eq syslog deny udp any any eq snmptrap deny tcp any any eq snmptrap deny tcp any any eq telnet deny udp any any eq tftp deny tcp any any eq 22 deny tcp any any eq tacacs deny udp any any eq tacacs deny tcp any any range 1812 1813 deny udp any any range 1812 1813 remark *******RFC1918 Spoofing******* deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any remark *******RFC3330 Spoofing******* deny ip 0.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.88.99.0 0.0.0.255 any deny ip 198.18.0.0 0.1.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 255.0.0.0 0.255.255.255 any remark *******Unallocated Spoofing******* deny ip 128.0.0.0 0.0.255.255 any deny ip 191.255.0.0 0.0.255.255 any deny ip 192.0.0.0 0.0.0.255 any deny ip 223.255.255.0 0.0.0.255 any ! remark *******Multicast Spoofing******* deny ip 224.0.0.0 31.255.255.255 any ! remark *********************************** remark ***Allow Transit Traffic*********** permit ip any any