Chapter 23 Configuring Network Security

Configuring Unicast Reverse Path Forwarding

This example shows how to enable self-pinging:

Router(config)# interface gigabitethernet 4/1

Router(config-if)#ip verify unicast source reachable-via any allow-self-ping

Router(config-if)# end

Configuring the Unicast RPF Checking Mode

There are two Unicast RPF checking modes:

Strict checking mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port.

Exist-only checking mode, which only verifies that the source IP address exists in the FIB table.

Note The most recently configured mode is automatically applied to all ports configured for Unicast RPF checking.

To configure Unicast RPF checking mode, perform this task:

 

Command

Purpose

Step 1

 

 

Router(config)# interface {{vlan vlan_ID}

Selects an interface to configure.

 

{type1 slot/port} {port-channelnumber}}

Note

Based on the input port, Unicast RPF verifies the

 

 

 

 

 

best return path before forwarding the packet on

 

 

 

to the next destination.

Step 2

 

 

Router(config-if)#ip verify unicast source

Configures the Unicast RPF checking mode.

 

reachable-via {rx any} [allow-default] [list]

 

 

 

Router(config-if)#no ip verify unicast

Reverts to the default Unicast RPF checking mode.

Step 3

 

 

Router(config-if)# exit

Exits interface configuration mode.

 

 

 

 

1.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

When configuring the Unicast RPF checking mode, note the following syntax information:

Use the rx keyword to enable strict checking mode.

Use the any keyword to enable exist-only checking mode.

Use the allow-defaultkeyword to allow use of the default route for RPF verification.

Use the list option to identify an access list.

If the access list denies network access, spoofed packets are dropped at the port.

If the access list permits network access, spoofed packets are forwarded to the destination address. Forwarded packets are counted in the interface statistics.

If the access list includes the logging action, information about the spoofed packets is sent to the log server.

Note When you enter the ip verify unicast source reachable-viacommand, the Unicast RPF checking mode changes on all ports in the router.

 

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-20

78-14064-04

Page 20
Image 20
Cisco Systems 7600 SERIES manual Configuring the Unicast RPF Checking Mode, 23-20