33-4
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 33 Configuring Network Security
Configuring Unicast Reverse Path Forwarding Check
• Exist-only check mode, which only verifies that the source IP address exists in the FIB table.
Note The most recently configured mode is automatically applied to all ports configured for Unicast RPF
check.
To configure Unicast RPF check mode, perform this task:
When configuring the Unicast RPF check mode, note the following information:
• Use the rx keyword to enable strict check mode.
• Use the any keyword to enable exist-only check mode.
• Use the allow-default keyword to allow use of the default route for RPF verification.
• Use the list option to identify an access list.
–
If the access list denies network access, spoofed packets are dropped at the port.
–
If the access list permits network access, spoofed packets are forwarded to the destination
address. Forwarded packets are counted in the interface statistics.
–
If the access list includes the logging action, information about the spoofed packets is sent to
the log server.
Note When you enter the ip verify unicast source reachable-via command, the Unicast RPF check mode
changes on all ports in the router.
This example shows how to enable Unicast RPF exist-only check mode on Gigabit Ethernet port 4/1:
Router(config)# interface gigabitethernet 4/1
Router(config-if)# ip verify unicast source reachable-via any
Router(config-if)# end
Router#
This example shows how to enable Unicast RPF strict check mode on Gigabit Ethernet port 4/2:
Router(config)# interface gigabitethernet 4/2
Router(config-if)# ip verify unicast source reachable-via rx
Router(config-if)# end
Router#
Command Purpose
Step 1
Router(config)# interface {{vlan
vlan_ID
} |
{
type
1
slot/port
} | {port-channel
number
}}
1. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
Selects an interface to configure.
Note Based on the input port, Unicast RPF check
verifies the best return path before forwarding the
packet on to the next destination.
Step 2
Router(config-if)# ip verify unicast source
reachable-via {rx | any} [allow-default] [
list
]
Configures the Unicast RPF check mode.
Router(config-if)# no ip verify unicast
Reverts to the default Unicast RPF check mode.
Step 3
Router(config-if)# exit
Exits interface configuration mode.
Step 4
Router# show mls cef ip rpf
Verifies the configuration.
To Next Page
Loading...
Need help?
General
