Use this command to provide checkspoof protection for transit frames being routed through the system.
| strict-mode | Verifies that the source IP address is reachable from the receive interface. |
| loose-mode | Verifies that the source IP address is reachable from any interface. |
None.
Configuration command, Interface configuration.
Network configurations that utilize VRRP may have connectivity issues to the backup interfaces when using checkspoof strict-mode. Under this circumstance, traffic may be routed via what appears to be the non-best path to the backup interface, due to the inherent nonsymmetric nature of VRRP routing. Strict-mode checkspoof rejects frames that do not ingress the “best” interface. When utilizing VRRP, use the loose-mode version of checkspoof. This mode verifies that the source IP in the packet is at least in a “known” network.
This example enables strict-mode IP checkspoofing on VLAN 1:
System(rw)-> System(rw)->configure System(rw-config)->interface vlan.0.1 System(rw-config-intf-vlan.0.1)->ip checkspoof strictmode
Print
this page
Email this topic
Feedback
View PDF
Download EPUB