Unicast Reverse path Forwarding (uRPF)
- Validates IP source address spoofing on the source interface
- uRPF is available only when CEF is enabled because uRPF relies on FIB which is populated by CEF.
- uRPF does a reverse look up in the CEF table. (show ip cef)
ACLs and Logging:
- An ACL can be used in conjunction with uRPF.
- Permit statement in ACL – packet is forwarded in spite of being denied by uRPF.
- Deny statement in ACL – packet which is already dropped by uRPF can be logged if logging is configured on the deny ACL.
- Tracks two types of information;
- uRPF verification drop count – tracks the number of drops at the interface.
- uRPF suppressed verification drop count – tracks the number of packets that failed uRPF but were forwarded because of the permit permission set up in the ACL.
Cisco Doc Link:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/15-mt/cfg-unicast-rpf.html Products > Cisco IOS > Cisco IOS Software Release 15M&T > Cisco IOS 15.2M&T >Configuration Guides > Security, Services, and VPN > Securing the Data Plane Configuration Guide Library, Cisco IOS Release 15M&T > Unicast Reverse path Forwarding > Configuring uRPF
- Basic uRPF configuration.
ip cef interface fa0/0 ip verify unicast reverse-path exit
- In the below example, the permit ACL allows the 10.1.1.0/24 network to bypass the uRPF check and the suppressed drop counter is incremented. Any traffic other than the 10.1.1.0/2 network would any way be denied, but with the explicit deny ACL we have the ability to log the traffic being dropped by uRPF for further evaluation.
ip cef access-list 101 permit ip 10.1.1.0 0.0.0.255 any access-list 101 deny ip any any log interface fa0/0 ip verify unicast reverse-path list 101 exit
Shows global router statistics for drops and suppressed drops
show ip traffic
Shows per interface statistics for drops and suppressed drops
show ip interface fa0/0