Configuring unicast reverse path forwarding on a VLAN
About this task
Use the Unicast Reverse Path Forwarding (uRPF) feature to reduce the problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network. When you enable uRPF, the switch performs a check to determine if the source IP address of the packet is verifiable. If the address is not verifiable, the system drops the packet.
strict mode
loose mode (exist-only mode)
Before you begin
You must enable the urpf-mode boot flag.
Note
When you try to configure uRPF on an interface, that is, enable or change the urpf operating mode with the urpf-mode boot flag disabled, a consistency check error message is displayed: Unicast Reverse Path Forwarding configuration is not supported when urpf-mode boot flag is disabled.
- You must log on to the VLAN Interface Configuration mode in CLI.
Important
You must assign a valid IP address to the selected port.
Procedure
Example
Switch:1> enable Switch:1# configure terminal Switch:1(config)# interface vlan 2Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ip rvs-path-chk mode exist-onlyVerify the configuration on the VLAN:
Switch:1(config-if)# show interfaces vlan ip
==============================================================================================================
Vlan Ip
==============================================================================================================
VLAN VRF IP NET BCASTADDR REASM ADVERTISE DIRECTED RPC RPCMODE RMON
ID NAME ADDRESS MASK FORMAT MAXSIZE WHEN_DOWN BROADCAST
--------------------------------------------------------------------------------------------------------------
1050 Globa~ 192.0.2.9 255.255.255.0 ones 1500 disable disable disable exist-only disable
1102 Globa~ 198.51.100.1 255.255.255.0 ones 1500 disable disable disable exist-only disable
1133 iir3 192.0.2.10 255.255.255.0 ones 1500 disable disable disable exist-only disable
1500 spboip 192.0.2.11 255.255.255.0 ones 1500 disable disable disable exist-only disable
1590 spboip 198.51.100.2 255.255.255.0 ones 1500 disable disable disable exist-only disable
4057 Globa~ 192.0.2.12 255.255.255.0 ones 1500 disable disable disable exist-only disable
All 16 out of 16 Total Num of Vlan Ip Entries displayed
VLAN VRF
ID NAME
--------------------------------------------------------------------------------
1050 GlobalRouter
1102 GlobalRouter
1133 iir3
1500 spboip
1590 spboip
4057 GlobalRouter
All 16 out of 16 Total Num of Vlan Ip Entries displayed
Switch:1> enable Switch:1# configure terminal Switch:1(config)# interface vlan 2Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ipv6 rvs-path-chk mode exist-onlyVerify the configuration on the VLAN:
Switch:1(config-if)# show ipv6 interface vlan
========================================================================================================================
Vlan Ipv6 Interface
========================================================================================================================
IFINDX VLAN PHYSICAL ADMIN OPER TYPE MTU HOP REACHABLE RETRANSMIT MCAST IPSEC RPC RPCMODE
INDX ADDRESS STATE STATE LMT TIME TIME STATUS
------------------------------------------------------------------------------------------------------------------------
3170 1122 2c:f4:c5:dc:b4:89 enable up ETHER 1500 64 30000 1000 disable disable disable existonly
3174 1126 2c:f4:c5:dc:b4:8b enable up ETHER 1500 64 30000 1000 disable disable disable existonly
3185 1137 2c:f4:c5:dc:b4:90 enable up ETHER 1500 64 30000 1000 disable disable disable existonly
================================================================================
Vlan Ipv6 Address
================================================================================
IPV6 ADDRESS VLAN-ID TYPE ORIGIN STATUS
--------------------------------------------------------------------------------
2001:db8:0:0:0:0:0:1 V-1122 UNICAST MANUAL PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b489 V-1122 UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1 V-1126 UNICAST MANUAL PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b48b V-1126 UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1 V-1137 UNICAST MANUAL PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b490 V-1137 UNICAST LINKLAYER PREFERRED
3 out of 4 Total Num of Interface Entries displayed.
6 out of 7 Total Num of Address Entries displayed.
Variable Definitions
The following table defines parameters for the ip rvs-path-chk mode and ipv6 rvs-path-chk mode commands.
|
Variable |
Value |
|---|---|
|
mode{strict|exist-only} |
Specifies the mode for Unicast Reverse Path Forwarding (uRPF). In strict mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. If the incoming interface is not the best reverse path, the packet check fails and uRPF drops the packet. In exist-only mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. The packet is dropped only if the source address is not reachable via an interface on that router. |