Configuring unicast reverse path forwarding on a VLAN

About this task

Use the Unicast Reverse Path Forwarding (uRPF) feature to reduce the problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network. When you enable uRPF, the switch performs a check to determine if the source IP address of the packet is verifiable. If the address is not verifiable, the system drops the packet.

uRPF runs in two modes:
  • strict mode

  • loose mode (exist-only mode)

Before you begin

  • You must enable the urpf-mode boot flag.

    Note

    Note

    When you try to configure uRPF on an interface, that is, enable or change the urpf operating mode with the urpf-mode boot flag disabled, a consistency check error message is displayed: Unicast Reverse Path Forwarding configuration is not supported when urpf-mode boot flag is disabled.

  • You must log on to the VLAN Interface Configuration mode in CLI.
    Important

    Important

    You must assign a valid IP address to the selected port.

Procedure

  1. Enter VLAN Interface Configuration mode:

    enable

    configure terminal

    interface vlan <1–4059>

  2. Set or change the urpf operating mode on a VLAN:

    For IPv4, enter: ip rvs-path-chk mode {strict|exist-only}

    For IPv6, enter: ipv6 rvs-path-chk mode {strict|exist-only}

  3. Verify the configuration on the VLAN:

    For IPv4, enter: show interfaces vlan ip

    For IPv6, enter: show ipv6 interface vlan

Example

Example for IPv4:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface vlan 2
Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ip rvs-path-chk mode exist-only
Verify the configuration on the VLAN:
Switch:1(config-if)# show interfaces vlan ip


==============================================================================================================
                                                   Vlan Ip
==============================================================================================================
VLAN VRF    IP            NET              BCASTADDR REASM   ADVERTISE DIRECTED  RPC     RPCMODE     RMON
ID   NAME   ADDRESS       MASK             FORMAT    MAXSIZE WHEN_DOWN BROADCAST
--------------------------------------------------------------------------------------------------------------
1050 Globa~ 192.0.2.9     255.255.255.0    ones      1500    disable   disable   disable exist-only  disable
1102 Globa~ 198.51.100.1  255.255.255.0    ones      1500    disable   disable   disable exist-only  disable
1133 iir3   192.0.2.10    255.255.255.0    ones      1500    disable   disable   disable exist-only  disable
1500 spboip 192.0.2.11    255.255.255.0    ones      1500    disable   disable   disable exist-only  disable
1590 spboip 198.51.100.2  255.255.255.0    ones      1500    disable   disable   disable exist-only  disable
4057 Globa~ 192.0.2.12    255.255.255.0    ones      1500    disable   disable   disable exist-only  disable


All 16 out of 16 Total Num of Vlan Ip Entries displayed


VLAN VRF
ID   NAME
--------------------------------------------------------------------------------
1050 GlobalRouter
1102 GlobalRouter
1133 iir3
1500 spboip
1590 spboip
4057 GlobalRouter

All 16 out of 16 Total Num of Vlan Ip Entries displayed
Example for IPv6:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface vlan 2
Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ipv6 rvs-path-chk mode exist-only
Verify the configuration on the VLAN:
Switch:1(config-if)# show ipv6 interface vlan

========================================================================================================================
                                             Vlan Ipv6 Interface
========================================================================================================================
IFINDX VLAN PHYSICAL          ADMIN   OPER  TYPE  MTU  HOP REACHABLE   RETRANSMIT  MCAST    IPSEC    RPC      RPCMODE
INDX        ADDRESS           STATE   STATE            LMT TIME        TIME        STATUS
------------------------------------------------------------------------------------------------------------------------
3170   1122 2c:f4:c5:dc:b4:89 enable  up    ETHER 1500 64  30000       1000        disable  disable  disable  existonly
3174   1126 2c:f4:c5:dc:b4:8b enable  up    ETHER 1500 64  30000       1000        disable  disable  disable  existonly
3185   1137 2c:f4:c5:dc:b4:90 enable  up    ETHER 1500 64  30000       1000        disable  disable  disable  existonly

================================================================================
                               Vlan Ipv6 Address
================================================================================
IPV6 ADDRESS                            VLAN-ID      TYPE    ORIGIN    STATUS
--------------------------------------------------------------------------------
2001:db8:0:0:0:0:0:1                      V-1122       UNICAST MANUAL    PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b489          V-1122       UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1                      V-1126       UNICAST MANUAL    PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b48b          V-1126       UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1                      V-1137       UNICAST MANUAL    PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b490          V-1137       UNICAST LINKLAYER PREFERRED

3 out of 4 Total Num of Interface Entries displayed.
6 out of 7 Total Num of Address Entries displayed.

Variable Definitions

The following table defines parameters for the ip rvs-path-chk mode and ipv6 rvs-path-chk mode commands.

Variable

Value

mode{strict|exist-only}

Specifies the mode for Unicast Reverse Path Forwarding (uRPF). In strict mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. If the incoming interface is not the best reverse path, the packet check fails and uRPF drops the packet. In exist-only mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. The packet is dropped only if the source address is not reachable via any interface on that router.