Use authentication based on key exchange between the machines on your network; something like IPsec will significantly cut down on the risk of spoofing.
Use an access control list to deny private IP addresses on your downstream interface.
Implement filtering of both inbound and outbound traffic.
Configure your routers and switches if they support such configuration, to reject packets originating from outside your local network that claim to originate from within.
Enable encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local hosts.