|
|
This chapter describes Unicast Reverse Path Forwarding (Unicast RPF) commands. The Unicast RPF feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring Unicast RPF.
For Unicast RPF configuration information, refer to the "Configuring Unicast Reverse Path Forwarding" chapter in the Cisco IOS Security Configuration Guide.
To enable Unicast Reverse Path Forwarding (Unicast RPF), use the ip verify unicast reverse-path command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ip verify unicast reverse-pathSyntax Description
This command has no arguments or keywords.
Defaults
Unicast RPF is disabled.
Command Modes
Interface configuration mode
Command History
11.1(CC) This command was introduced. 12.0 This command was introduced.
Release
Modification
Usage Guidelines
Use the ip verify unicast reverse-path interface command to help mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IP address spoofing.
When Unicast RPF is enabled on an interface, the router examines all packets received as input on that interface to make sure that the source address and source interface appear in the routing table and match the interface on which the packet was received. This "look backwards" ability is available only when Cisco express forwarding (CEF) is enabled on the router, because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation.
 |
Note Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection. |
Unicast RPF checks to see if any packet received at a router interface arrives on the best return path (return route) to the source of the packet. Unicast RPF does this by doing a reverse lookup in the CEF table. If the packet was received from one of the best reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same interface from which the packet was received, it might mean that the source address was modified. If Unicast RPF does not find a reverse path for the packet, the packet is dropped.
|
Note With Unicast RPF, all equal-cost "best" return paths are considered valid. This means that Unicast RPF works in cases where multiple return paths exist, provided that each path is equal to the others in terms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where EIGRP variants are being used and unequal candidate paths back to the source IP address exist. |
To use Unicast RPF, enable CEF switching or distributed CEF (dCEF) switching in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes.
|
Note It is very important for CEF to be configured globally in the router. Unicast RPF will not work without CEF. |
Unicast RPF should not be used on interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, meaning multiple routes to the source of a packet. Unicast RPF should be applied only where there is natural or configured symmetry.
For example, routers at the edge of the network of an ISP are more likely to have symmetrical reverse paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. Hence, it is not recommended that you apply Unicast RPF where there is a chance of asymmetric routing. It is simplest to place Unicast RPF only at the edge of a network or, for an ISP, at the customer edge of the network.
Examples
The following example enables Unicast RPF on a serial interface:
ip cef ! or "ip cef distributed" for RSP+VIP based routers ! interface serial 5/0/0 ip verify unicast reverse-path
The following example enables Unicast RPF on a Cisco AS5800. The interface Group-Async command makes it easy to apply Unicast RPF on all the dialup ports.
ip cef ! interface Group-Async1 ip verify unicast reverse-path
The following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless interdomain routing (CIDR) block 209.165.202.128/28 that has both inbound and outbound filters on the upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be designed into the filters on the border routers of the ISP.
ip cef distributed ! interface Serial 5/0/0 description Connection to Upstream ISP ip address 209.165.200.225 255.255.255.252 no ip redirects no ip directed-broadcast no ip proxy-arp ip verify unicast reverse-path ip access-group 111 in ip access-group 110 out ! access-list 110 permit ip 209.165.202.128 0.0.0.31 any access-list 110 deny ip any any log access-list 111 deny ip host 0.0.0.0 any log access-list 111 deny ip 127.0.0.0 0.255.255.255 any log access-list 111 deny ip 10.0.0.0 0.255.255.255 any log access-list 111 deny ip 172.16.0.0 0.15.255.255 any log access-list 111 deny ip 192.168.0.0 0.0.255.255 any log access-list 111 deny ip 209.165.202.128 0.0.0.31 any log access-list 111 permit ip any any
Related Commands
ip cef Enables CEF on the route processor card.
Command
Description
Posted: Tue Apr 4 18:01:31 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.