Cisco IOS Unicast Reverse Path Forwarding (uRPF) | (CCIE Notes)


Unicast Reverse path Forwarding (uRPF)

  • Validates IP source address spoofing on the source interface
  • uRPF is available only when CEF is enabled because uRPF relies on FIB which is populated by CEF.
  • uRPF does a reverse look up in the CEF table. (show ip cef)

uRPF Enhancements:

ACLs and Logging:

  • An ACL can be used in conjunction with uRPF.
  • Permit statement in ACL – packet is forwarded in spite of being denied by uRPF.
  • Deny statement in ACL – packet which is already dropped by uRPF can be logged if logging is configured on the deny ACL.

Per-Interface Statistics:

  • Tracks two types of information;
    • uRPF verification drop count – tracks the number of drops at the interface.
    • uRPF suppressed verification drop count – tracks the number of packets that failed uRPF but were forwarded because of the permit permission set up in the ACL.

Cisco Doc Link:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/15-mt/cfg-unicast-rpf.html Products > Cisco IOS > Cisco IOS Software Release 15M&T > Cisco IOS 15.2M&T >Configuration Guides > Security, Services, and VPN Securing the Data Plane Configuration Guide Library, Cisco IOS Release 15M&T > Unicast Reverse path Forwarding > Configuring uRPF

Configuration:

  • Basic uRPF configuration.
ip cef
interface fa0/0
 ip verify unicast reverse-path
 exit
  • In the below example, the permit ACL allows the 10.1.1.0/24 network to bypass the uRPF check and the suppressed drop counter is incremented. Any traffic other than the 10.1.1.0/2 network would any way be denied, but with the explicit deny ACL we have the ability to log the traffic being dropped by uRPF for further evaluation.
ip cef
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip any any log
interface fa0/0
 ip verify unicast reverse-path list 101
 exit

Verification:

Shows global router statistics for drops and suppressed drops

show ip traffic

Shows per interface statistics for drops and suppressed drops

show ip interface fa0/0

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s