Unless your network admin has had his/her head in sand hill for the past few years, filtering spoofed traffic from leaving one’s own network is something that should be of concern. Luckily back in 2000 some NANOG members wrote up a spec, RFC2827 which was adopted as BCP38.
So what exactly is BCP38? BCP38 is: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. In short, ensuring your customers do not send traffic from IP addresses which they are not entitled to receive return traffic for. A pretty simple concept. Amazingly, many/most ISPs do not prevent the sourcing of traffic from just any old bogus address.
A simple sample:
So what does this example do? In the Vlan interface you see that the local address range is 192.0.2.0/24 and there is a DHCP helper running remotely. This ACL restricts traffic from entering the interface unless it is to a valid destination, from a valid local source, or a DHCP broadcast. It explicitly denies traffic to any ranges which should not be receiving traffic, preventing any junk which will not find a destination from even entering your network. Any packets denied are logged, to aid in troubleshooting dropped packet issues.