ip checkspoof

Use this command to provide checkspoof protection for transit frames being routed through the system.

Syntax

ip checkspoof {strict-mode | loose-mode}
no ip checkspoof {strict-mode | loose-mode}

Parameters

strict-mode Verifies that the source IP address is reachable from the receive interface.
loose-mode Verifies that the source IP address is reachable from any interface.

Defaults

None.

Mode

Configuration command, Interface configuration.

Usage

Network configurations that utilize VRRP may have connectivity issues to the backup interfaces when using checkspoof strict-mode. Under this circumstance, traffic may be routed via what appears to be the non-best path to the backup interface, due to the inherent nonsymmetric nature of VRRP routing. Strict-mode checkspoof rejects frames that do not ingress the “best” interface. When utilizing VRRP, use the loose-mode version of checkspoof. This mode verifies that the source IP in the packet is at least in a “known” network.

Example

This example enables strict-mode IP checkspoofing on VLAN 1:

System(rw)->
System(rw)->configure
System(rw-config)->interface vlan.0.1
System(rw-config-intf-vlan.0.1)->ip checkspoof strictmode