uRPF Configuration on Cisco (IOS,IOS-XR,NX-OS)

uRPF or Unicast Reverse Path Forwarding is a security feature/tool that help verifies reachability of source address in packets being forwarded. It can prevents malicious and spoofing attacks as it will perform forwarding table lookup on the source IP address.
– it as defined in RFC3704
– it follows RFC2827 for ingress filtering.
–  it relies on the CEF (Cisco Express Forwarding) or FIB table to perform lookups.
– preferably implemented at the network edge facing internet, customers and servers

uRPF Modes:

  1. Strict Mode(rx) – packet must be received on the interface that the router uses to forward the return packet. Two checks:
    –  if router has a matching entry for the source in the routing table
    – if the router uses same interface to reach the source as where it received this packet

Note: Need to very careful in implementing this as it may drop legitimate traffic, this normally occur when there’s asymmetric routing paths in the network.

Cisco IOS/IOS-XE:

ip verify unicast source reachable-via rx
ipv6 verify unicast source reachable-via rx

Sample Config:

CISCO-IOSXE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-IOSXE(config)#inter
CISCO-IOSXE(config)#interface TenGigabitEthernet0/1/0
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via rx
CISCO-IOSXE(config-if)#ipv6 verify unicast source reachable-via rx

Verification:

show cef interface <interface name>

Sample Output:

CISCO-IOSXE#show cef interface TenGigabitEthernet0/1/0 | i RPF
IP unicast RPF check is enabled
Input features: uRPF

To see if there’s any RPF drops use this command

show cef drop
show ip cef switching statistics

Sample Output:

CISCO-IOSXE#show cef drop
% Command accepted but obsolete, see ‘show (ip|ipv6) cef switching statistics [feature]’
IPv4 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj ChkSum_Err
RP 0 0 0 0 0 0
IPv6 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj
RP 0 0 0 0 0

CISCO-IOSXE#show ip cef switching statistics
Reason Drop Punt Punt2Host
All Total 0 0 0

Cisco IOS-XR:

ipv4 verify unicast source reachable-via rx
ipv6 verify unicast source reachable-via rx

Sample Config:

RP/0/RP0/CPU0:CISCO-IOS-XR#conf
Sun Sep 5 11:35:47.621 SST
RP/0/RP0/CPU0:CISCO-IOS-XR(config)#interface TenGigE0/0/0/0
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via rx
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv6 verify unicast source reachable-via rx

Verification:

show cef interface <interface name>

Sample Output:

RP/0/RP0/CPU0:CISCO-IOS-XR#show cef interface TenGigE0/0/0/0 | i RPF
Sun Sep 5 11:37:53.637 SST
IP unicast RPF check is enabled
RPF mode strict

To see if there’s any RPF drops use this command (e.g. Te0/0/0/0 which is in linecard 0)

show cef drops location <location>

Sample Output:

RP/0/RP0/CPU0:CISCO-IOS-XR#show cef drops location 0/0/CPU0 | i RPF
Sun Sep 5 12:51:25.005 SST
RPF drops packets : 0
RPF suppressed drops packets : 0

Cisco Nexus OS:

ip verify unicast source reachable-via rx
ipv6 verify unicast source reachable-via rx

CISCO-NEXUS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-NEXUS(config)# interface vlan8
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via rx
CISCO-NEXUS(config-if)# ipv6 verify unicast source reachable-via rx

Verification:

 show ip interface <interface name>

Sample Output:

CISCO-NEXUS# show ip interface vlan8
IP unicast reverse path forwarding: strict

 

2. Loose Mode(any) – source address should appear in the routing table. It can be use when there is asymmetric routing paths in the network. So basically it will only perform single check
–  if router has a matching entry for the source in the routing table

Cisco IOS/IOS-XE:

ip verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any

Sample Config:

CISCO-IOSXE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-IOSXE(config)#inter
CISCO-IOSXE(config)#interface TenGigabitEthernet0/1/0
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-IOSXE(config-if)#ip verify unicast source reachable-via any
CISCO-IOSXE(config-if)#ipv6 verify unicast source reachable-via any

Verification:

show cef interface <interface name>

Sample Output:

CISCO-IOSXE#show cef interface TenGigabitEthernet0/1/0 | i RPF
IP unicast RPF check is enabled
Input features: uRPF

To see if there’s any RPF drops use this command:

show cef drop
show ip cef switching statistics

Sample Output:

CISCO-IOSXE#show cef drop
% Command accepted but obsolete, see ‘show (ip|ipv6) cef switching statistics [feature]’
IPv4 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj ChkSum_Err
RP 0 0 0 0 0 0
IPv6 CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj
RP 0 0 0 0 0

CISCO-IOSXE#show ip cef switching statistics
Reason Drop Punt Punt2Host
All Total 0 0 0

Cisco IOS-XR:

ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any

Sample Config:

RP/0/RP0/CPU0:CISCO-IOS-XR#conf
Sun Sep 5 11:35:47.621 SST
RP/0/RP0/CPU0:CISCO-IOS-XR(config)#interface TenGigE0/0/0/0
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv4 verify unicast source reachable-via any
RP/0/RP0/CPU0:CISCO-IOS-XR(config-if)#ipv6 verify unicast source reachable-via any

Verification:

show cef interface <interface name>

Sample Output:

RP/0/RP0/CPU0:CISCO-IOS-XR#show cef interface TenGigE0/0/0/0 | i RPF
Sun Sep 5 11:37:53.637 SST
IP unicast RPF check is enabled
RPF mode loose

To see if there’s any RPF drops use this command (e.g. Te0/0/0/0 which is in linecard 0)

show cef drops location <location>

Sample Output:

RP/0/RP0/CPU0:CISCO-IOS-XR#show cef drops location 0/0/CPU0 | i RPF
Sun Sep 5 12:51:25.005 SST
RPF drops packets : 0
RPF suppressed drops packets : 0

Cisco Nexus OS:

ip verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any

CISCO-NEXUS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-NEXUS(config)# interface vlan8
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
CISCO-NEXUS(config-if)# ip verify unicast source reachable-via any
CISCO-NEXUS(config-if)# ipv6 verify unicast source reachable-via any

Verification:

 show ip interface <interface name>

Sample Output:

CISCO-NEXUS# show ip interface vlan8
IP unicast reverse path forwarding: loose

Some additional keynotes:

There’s also optional commands added at the end:

Cisco IOS/IOS-XE:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]

<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
allow-default Allow default route to match when checking source address
allow-self-ping Allow router to ping itself (opens vulnerability in verification)

Cisco IOS-XR:

ipv4 verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping]

allow-default  – Allow default route to match when checking source address
allow-self-ping Allow router to ping itself (opens vulnerability in verification)

Cisco Nexus-OS:

ip verify unicast source reachable-via  any allow-default

allow-default Loose Default Route Unicast Reverse Path Forwarding

There are 2 other uRPF modes which we will not discuss in this tutorial
-Feasible Mode
-VRF Mode

Be First to Comment

Leave a Reply

Your email address will not be published.