Cisco Systems 7600 SERIES Configuring the Unicast RPF Checking Mode

23-20

Cisco7600 Series Router Cisco IOS Software Configuration Guide—12.1E

78-14064-04

Chapter23 Con figuring Network Security

Configuring Unicast Reverse Path Forwarding

This example shows how to enable self-pinging:

Router(config)# interface gigabitethernet 4/1

Router(config-if)# ip verify unicast source reachable-via any allow-self-ping

Router(config-if)# end

Configuring the Unicast RPF Checking Mode

There are two Unicast RPF checking modes:

•Strict checking mode, which verifies that the source IP address exists in the FIB table and verifies

that the source IP address is reachable through the input port.

•Exist-only checking mode, which only verifies that the source IP address exists in the FIB table.

Note The most recently configured mode is automatically applied to all ports configured for Unicast RPF

checking.

To configure Unicast RPF checking mode, perform this task:

When configuring the Unicast RPF checking mode, note the following syntax information:

•Use the rx keyword to enable strict checking mode.

•Use the any keyword to enable exist-only checking mode.

•Use the allow-default keyword to allow use of the default route for RPF verification.

•Use the list option to identify an access list.

–

If the access list denies network access, spoofed packets are dropped at the port.

–

If the access list permits network access, spoofed packets are forwarded to the destination

address. Forwarded packets are counted in the interface statistics.

–

If the access list includes the logging action, information about the spoofed packets is sent to

the log server.

Note When you enter the ip verify unicast source reachable-via command, the Unicast RPF checking mode

changes on all ports in the router.

Command Purpose

Step1 Router(config)# interface {{vlan vlan_ID} |

{type1slot/port} | {port-channel number}}

1. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

Selects an interface to configure.

Note Based on the input port, Unicast RPF verifies the

best return path before forwarding the packet on

to the next destination.

Step2 Router(config-if)# ip verify unicast source

reachable-via {rx | any} [allow-default] [list]

Configures the Unicast RPF checking mode.

Router(config-if)# no ip verify unicast Reverts to the default Unicast RPF checking mode.

Step3 Router(config-if)# exit Exits interface configuration mode.