CONFIGURATION EXAMPLE OF LOOSE AND STRICT MODE IN UNICAST REVERSE PATH FORWARDING (URPF)

In this post we will understand what unicast reverse path forwarding feature is in Cisco IOS and also how it is configured in Cisco IOS.

In normal cases the when a packet reaches to the router the router will only check the destination address in the IP header and will forward the packet out of the respective interface. Since the router doesn’t check the source IP address it is possible for attackers to spoof the source IP address and send packets that normally might have been dropped by the firewall or an access-list.

uRPF can work basically in two modes as follows:

Strict Mode:

  • Accept packet if the source IP address of the packet received is present in the routing table. Accept packet if the source IP address of the packet received is reachable via the interface on which the packet has been received.

Both the condition need to be matched in case of the strict mode and only then the packet will be accepted.

Loose Mode:

  • Accept packet if the source IP address of the packet received is present in the routing table.

In loose mode only the above condition needs fulfillment in order for the packet to be accepted.

 

Let us configure this feature in a simple topology as below to understand further

 

TOPOLOGY:

configuration-example-of-loose-and-strict-mode-in-unicast-reverse-path-forwarding-urpf

R1 has a static route to reach R2’s Lo0 interface.

R1(config)#ip route 9.9.0.2 255.255.255.255 9.9.12.2

 R1 has enabled uRPF on both of its interfaces Fa0/0 & Fa1/0.

R1(config-if)#int fa0/0

R1(config-if)#ip verify unicast source reachable-via rx

R1(config-if)#int fa1/0

R1(config-if)#ip verify unicast source reachable-via rx

 

R1#sh ip int fa0/0 | i verify

IP verify source reachable-via RX

R1#sh ip int fa1/0 | i verify

IP verify source reachable-via RX

Routing table on R1:
R1#sh ip route

Gateway of last resort is not set

 

9.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

S       9.9.0.2/32 [1/0] via 9.9.12.2

C       9.9.12.0/24 is directly connected, FastEthernet0/0

L       9.9.12.1/32 is directly connected, FastEthernet0/0

C       9.9.13.0/24 is directly connected, FastEthernet1/0

L       9.9.13.1/32 is directly connected, FastEthernet1/0

We have configured the strict mode for now as we have used option ‘rx’ , hence both conditions for Strict mode should be satisfied.

VERIFICATION:

We ping R1 from R2 using Lo0 as source and see we can ping successfully as both conditions for strict mode satisfy.

R2#ping 9.9.12.1 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 9.9.12.1, timeout is 2 seconds:

Packet sent with a source address of 9.9.0.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms

R1# sh ip int fa0/0 | i drops

0 verification drops

0 suppressed verification drops

Now we can configure a Lo0 on R3 as well with same IP 9.9.0.2.

interface Loopback0

ip address 9.9.0.2 255.255.255.255

Then we try to ping from R3 to R1 and see it fails since it only satisfies one condition of source IP being in routing table but fails on the second condition.

R3#ping 9.9.13.1 so lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 9.9.13.1, timeout is 2 seconds:

Packet sent with a source address of 9.9.0.2

…..

Success rate is 0 percent (0/5)

 
R1# sh ip int fa1/0 | i drops

5 verification drops

0 suppressed verification drops

In order to enable the loose mode we can simply use the command as below on the interface:

R1(config-if)#int fa0/0

R1(config-if)#ip verify unicast source reachable-via any

Please follow and like us:

Related Post

Add Comment