Configuring unicast reverse path forwarding on a port
About this task
You can use the Unicast Reverse Path Forwarding (uRPF) feature to reduce the problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network. When you enable uRPF, the switch performs a check to determine if the source IP address of the packet is verifiable. If the address is not verifiable, the system drops the packet.
strict mode
loose mode (exist-only mode)
Before you begin
- You must enable the urpf-mode boot flag. See Enabling urpf-mode boot flag.
Note
When you try to configure uRPF on an interface, that is, enable or change the urpf operating mode with the urpf-mode boot flag disabled, a consistency check error message is displayed: Unicast Reverse Path Forwarding configuration is not supported when urpf-mode boot flag is disabled.
You must log on to the GigabitEthernet Interface Configuration mode in CLI.
Procedure
Example
Switch:1> enable Switch:1# configure terminal Switch:1(config)# interface GigabitEthernet 1/10Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ip rvs-path-chk mode strictVerify the configuration on the port:
Switch:1(config-if)# show ip interface gigabitethernet ============================================================================================= Brouter Port Ip ============================================================================================= PORT VRF IP_ADDRESS NET_MASK BROADCAST REASM ADVERTISE DIRECT RPC RPCMODE NUM NAME MAXSIZE WHEN_DOWN BCAST --------------------------------------------------------------------------------------------- 1/1 Glob~ 192.0.2.1 255.255.255.0 ones 1500 disable disable disable exist-only 1/10 spbo~ 198.51.100.1 255.255.255.0 ones 1500 disable disable disable exist-only PORT VRF NUM NAME -------------------------------------------------------------------------------- 1/1 GlobalRouter 1/10 spboip
Switch:1> enable Switch:1# configure terminal Switch:1(config)# interface GigabitEthernet 4/16Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ipv6 rvs-path-chk mode strictVerify the configuration on the port:
Switch:1(config-if)#show ipv6 interface gigabitethernet ========================================================================================================================== Port Ipv6 Interface ========================================================================================================================== IFINDX BROUTER PHYSICAL ADMIN OPER TYPE MTU HOP REACHABLE RETRANSMIT MCAST IPSEC RPC RPCMODE INDX ADDRESS STATE STATE LMT TIME TIME STATUS -------------------------------------------------------------------------------------------------------------------------- 192 4/16 e4:5d:52:3c:65:02 enable down ETHER 1500 2 30000 1000 disable disable disable existonly ==================================================================================================== Port Ipv6 Address ==================================================================================================== IPV6 ADDRESS BROUTER TYPE ORIGIN STATUS ---------------------------------------------------------------------------------------------------- 2001:DB8:0:0:0:0:0:ffff/64 4/16 UNICAST MANUAL INACCESSIBLE INF INF 2001:DB8:0:0:e65d:52ff:fe3c:6502/64 4/16 UNICAST LINKLAYER INACCESSIBLE INF INF 1 out of 5 Total Num of Interface Entries displayed. 2 out of 10 Total Num of Address Entries displayed.
Variable Definitions
The following table defines parameters for the ip rvs-path-chk mode and ipv6 rvs-path-chk mode commands.
Variable |
Value |
---|---|
mode{strict|exist-only} |
Specifies the mode for Unicast Reverse Path Forwarding (uRPF). In strict mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. If the incoming interface is not the best reverse path, the packet check fails and uRPF drops the packet. In exist-only mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. The packet is dropped only if the source address is not reachable via any interface on that router. |