In this post we will understand what unicast reverse path forwarding feature is in Cisco IOS and also how it is configured in Cisco IOS.
In normal cases the when a packet reaches to the router the router will only check the destination address in the IP header and will forward the packet out of the respective interface. Since the router doesn’t check the source IP address it is possible for attackers to spoof the source IP address and send packets that normally might have been dropped by the firewall or an access-list.
uRPF can work basically in two modes as follows:
Strict Mode:
- Accept packet if the source IP address of the packet received is present in the routing table. Accept packet if the source IP address of the packet received is reachable via the interface on which the packet has been received.
Both the condition need to be matched in case of the strict mode and only then the packet will be accepted.
Loose Mode:
- Accept packet if the source IP address of the packet received is present in the routing table.
In loose mode only the above condition needs fulfillment in order for the packet to be accepted.
Let us configure this feature in a simple topology as below to understand further
TOPOLOGY:
R1 has a static route to reach R2’s Lo0 interface.
R1 has enabled uRPF on both of its interfaces Fa0/0 & Fa1/0.
R1(config-if)#ip verify unicast source reachable-via rx
R1(config-if)#int fa1/0
R1(config-if)#ip verify unicast source reachable-via rx
R1#sh ip int fa0/0 | i verify
IP verify source reachable-via RX
R1#sh ip int fa1/0 | i verify
IP verify source reachable-via RX
R1#sh ip route
9.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
S 9.9.0.2/32 [1/0] via 9.9.12.2
C 9.9.12.0/24 is directly connected, FastEthernet0/0
L 9.9.12.1/32 is directly connected, FastEthernet0/0
C 9.9.13.0/24 is directly connected, FastEthernet1/0
L 9.9.13.1/32 is directly connected, FastEthernet1/0
We have configured the strict mode for now as we have used option ‘rx’ , hence both conditions for Strict mode should be satisfied.
VERIFICATION:
We ping R1 from R2 using Lo0 as source and see we can ping successfully as both conditions for strict mode satisfy.
R2#ping 9.9.12.1 source lo0
Sending 5, 100-byte ICMP Echos to 9.9.12.1, timeout is 2 seconds:
Packet sent with a source address of 9.9.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
R1# sh ip int fa0/0 | i drops
0 suppressed verification drops
Now we can configure a Lo0 on R3 as well with same IP 9.9.0.2.
ip address 9.9.0.2 255.255.255.255
Then we try to ping from R3 to R1 and see it fails since it only satisfies one condition of source IP being in routing table but fails on the second condition.
R3#ping 9.9.13.1 so lo0
Sending 5, 100-byte ICMP Echos to 9.9.13.1, timeout is 2 seconds:
Packet sent with a source address of 9.9.0.2
…..
Success rate is 0 percent (0/5)
R1# sh ip int fa1/0 | i drops
0 suppressed verification drops
In order to enable the loose mode we can simply use the command as below on the interface:
R1(config-if)#ip verify unicast source reachable-via any
ABOUT THE AUTHOR
I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)
