Configure Reverse Path Checking on a Port

Before you begin

  • The system supports reverse path checking only on ports that have a valid IP address.

About this task

Configure reverse path checking on a port to determine if a packet IP address is verifiable. Use reverse path checking to reduce the problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network. After you enable reverse path checking, the switch performs a reverse path check to determine if the packet IP address is verifiable. If the address is not verifiable, the system discards the packet.

Reverse path checking operates in one of two modes:

  • exist-only mode

  • strict mode

Procedure

  1. In the Device Physical View tab, select a port.
  2. In the navigation pane, expandConfiguration > Edit > Port.
  3. Select IP.
  4. Select the Reverse Path Checking tab.
  5. Select Enable to enable reverse path checking.
  6. Select exist-only or strict.
  7. Select Apply.

Reverse Path Checking Field Descriptions

Use the data in the following table to use the Reverse Path Checking tab.

Name

Description

Enable

Enables reverse path checking on the selected port. The default is disabled.

Mode

Specifies the mode for reverse path checking. The modes are

  • exist-only—reverse path checking checks whether the incoming packet source IP address exists in the routing table. If reverse path checking finds the source IP entry, the packet is forwarded; otherwise the packet is discarded.

  • strict—reverse path checking checks whether the incoming packet source IP address exists in routing table. If reverse path checking does not find the source IP entry, the packet is dropped; otherwise, reverse path checking further checks if the source IP interface matches the incoming interface of the packet. If they match, the packet is forwarded; otherwise the packet is discarded.

The default is exist-only.