uRPF or Unicast Reverse Path Forwarding is a security feature/tool that help verifies reachability of source address in packets being forwarded. It can prevents malicious and spoofing attacks as it will perform forwarding table lookup on the source IP address.
– it as defined in RFC3704
– it follows RFC2827 for ingress filtering.
– it relies on the CEF (Cisco Express Forwarding) or FIB table to perform lookups.
– preferably implemented at the network edge facing internet, customers and servers
uRPF Modes:
- Strict Mode(rx) – packet must be received on the interface that the router uses to forward the return packet. Two checks:
– if router has a matching entry for the source in the routing table
– if the router uses same interface to reach the source as where it received this packet
Note: Need to very careful in implementing this as it may drop legitimate traffic, this normally occur when there’s asymmetric routing paths in the network.
Cisco IOS/IOS-XE:
ip verify unicast source reachable-via rx
ipv6 verify unicast source reachable-via rx
Sample Config:
CISCO-IOSXE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-IOSXE(config)#inter
CISCO-IOSXE(config)#interface TenGigabitEthernet0/1/0
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via rx
CISCO-IOSXE(config-if)#ipv6 verify unicast source reachable-via rx
Verification:
show cef interface <interface name>
Sample Output:
CISCO-IOSXE#show cef interface TenGigabitEthernet0/1/0 | i RPF
IP unicast RPF check is enabled
Input features: uRPF
To see if there’s any RPF drops use this command
show cef drop
show ip cef switching statistics
Sample Output:
CISCO-IOSXE#show cef drop
% Command accepted but obsolete, see ‘show (ip|ipv6) cef switching statistics [feature]’
IPv4 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj ChkSum_Err
RP 0 0 0 0 0 0
IPv6 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj
RP 0 0 0 0 0
CISCO-IOSXE#show ip cef switching statistics
Reason Drop Punt Punt2Host
All Total 0 0 0
Cisco IOS-XR:
ipv4 verify unicast source reachable-via rx
ipv6 verify unicast source reachable-via rx
Sample Config:
RP/0/RP0/CPU0:CISCO-IOS-XR#conf
Sun Sep 5 11:35:47.621 SST
RP/0/RP0/CPU0:CISCO-IOS-XR(config)#interface TenGigE0/0/0/0
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via rx
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv6 verify unicast source reachable-via rx
Verification:
show cef interface <interface name>
Sample Output:
RP/0/RP0/CPU0:CISCO-IOS-XR#show cef interface TenGigE0/0/0/0 | i RPF
Sun Sep 5 11:37:53.637 SST
IP unicast RPF check is enabled
RPF mode strict
To see if there’s any RPF drops use this command (e.g. Te0/0/0/0 which is in linecard 0)
show cef drops location <location>
Sample Output:
RP/0/RP0/CPU0:CISCO-IOS-XR#show cef drops location 0/0/CPU0 | i RPF
Sun Sep 5 12:51:25.005 SST
RPF drops packets : 0
RPF suppressed drops packets : 0
Cisco Nexus OS:
ip verify unicast source reachable-via rx
ipv6 verify unicast source reachable-via rx
CISCO-NEXUS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-NEXUS(config)# interface vlan8
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via rx
CISCO-NEXUS(config-if)# ipv6 verify unicast source reachable-via rx
Verification:
show ip interface <interface name>
Sample Output:
CISCO-NEXUS# show ip interface vlan8
IP unicast reverse path forwarding: strict
2. Loose Mode(any) – source address should appear in the routing table. It can be use when there is asymmetric routing paths in the network. So basically it will only perform single check
– if router has a matching entry for the source in the routing table
Cisco IOS/IOS-XE:
ip verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any
Sample Config:
CISCO-IOSXE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-IOSXE(config)#inter
CISCO-IOSXE(config)#interface TenGigabitEthernet0/1/0
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via any
CISCO-IOSXE(config-if)#ipv6 verify unicast source reachable-via any
Verification:
show cef interface <interface name>
Sample Output:
CISCO-IOSXE#show cef interface TenGigabitEthernet0/1/0 | i RPF
IP unicast RPF check is enabled
Input features: uRPF
To see if there’s any RPF drops use this command:
show cef drop
show ip cef switching statistics
Sample Output:
CISCO-IOSXE#show cef drop
% Command accepted but obsolete, see ‘show (ip|ipv6) cef switching statistics [feature]’
IPv4 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj ChkSum_Err
RP 0 0 0 0 0 0
IPv6 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj
RP 0 0 0 0 0
CISCO-IOSXE#show ip cef switching statistics
Reason Drop Punt Punt2Host
All Total 0 0 0
Cisco IOS-XR:
ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any
Sample Config:
RP/0/RP0/CPU0:CISCO-IOS-XR#conf
Sun Sep 5 11:35:47.621 SST
RP/0/RP0/CPU0:CISCO-IOS-XR(config)#interface TenGigE0/0/0/0
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via any
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv6 verify unicast source reachable-via any
Verification:
show cef interface <interface name>
Sample Output:
RP/0/RP0/CPU0:CISCO-IOS-XR#show cef interface TenGigE0/0/0/0 | i RPF
Sun Sep 5 11:37:53.637 SST
IP unicast RPF check is enabled
RPF mode loose
To see if there’s any RPF drops use this command (e.g. Te0/0/0/0 which is in linecard 0)
show cef drops location <location>
Sample Output:
RP/0/RP0/CPU0:CISCO-IOS-XR#show cef drops location 0/0/CPU0 | i RPF
Sun Sep 5 12:51:25.005 SST
RPF drops packets : 0
RPF suppressed drops packets : 0
Cisco Nexus OS:
ip verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any
CISCO-NEXUS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-NEXUS(config)# interface vlan8
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via any
CISCO-NEXUS(config-if)# ipv6 verify unicast source reachable-via any
Verification:
show ip interface <interface name>
Sample Output:
CISCO-NEXUS# show ip interface vlan8
IP unicast reverse path forwarding: loose
Some additional keynotes:
There’s also optional commands added at the end:
Cisco IOS/IOS-XE:
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
allow-default Allow default route to match when checking source address
allow-self-ping Allow router to ping itself (opens vulnerability in verification)
Cisco IOS-XR:
ipv4 verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping]
allow-default – Allow default route to match when checking source address
allow-self-ping Allow router to ping itself (opens vulnerability in verification)
Cisco Nexus-OS:
ip verify unicast source reachable-via any allow-default
allow-default Loose Default Route Unicast Reverse Path Forwarding
There are 2 other uRPF modes which we will not discuss in this tutorial
-Feasible Mode
-VRF Mode
Be First to Comment