EasyManua.ls Logo

Cisco Nexus 3600 NX-OS - CHAPTER 8 Configuring Unicast RPF

Cisco Nexus 3600 NX-OS
154 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
CHAPTER 8
Configuring Unicast RPF
This chapter contains the following sections:
Information About Unicast RPF, page 101
Licensing Requirements for Unicast RPF, page 103
Guidelines and Limitations for Unicast RPF, page 103
Default Settings for Unicast RPF, page 104
Configuring Unicast RPF, page 104
Configuration Examples for Unicast RPF, page 106
Verifying the Unicast RPF Configuration, page 106
Additional References for Unicast RPF, page 107
Information About Unicast RPF
The Unicast RPF feature reduces problems that are caused by the introduction of malformed or forged (spoofed)
IPv4 source addresses into a network by discarding IPv4 packets that lack a verifiable IP source address. For
example, a number of common types of Denial-of-Service (DoS) attacks, including Smurf and Tribal Flood
Network (TFN) attacks, can take advantage of forged or rapidly changing source IPv4 or IPv6 addresses to
allow attackers to thwart efforts to locate or filter the attacks. Unicast RPF deflects attacks by forwarding only
the packets that have source addresses that are valid and consistent with the IP routing table.
When you enable Unicast RPF on an interface, the examines all ingress packets received on that interface to
ensure that the source address and source interface appear in the routing table and match the interface on
which the packet was received. This examination of source addresses relies on the Forwarding Information
Base (FIB).
Unicast RPF verifies that any packet received at a interface arrives on the best return path (return route) to
the source of the packet by doing a reverse lookup in the FIB. If the packet was received from one of the best
reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same interface
from which the packet was received, the source address might have been modified by the attacker. If Unicast
RPF does not find a reverse path for the packet, the packet is dropped.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
101

Table of Contents

Related product manuals