In this post we will understand what unicast reverse path forwarding feature is in Cisco IOS and also how it is configured in Cisco IOS.
In normal cases the when a packet reaches to the router the router will only check the destination address in the IP header and will forward the packet out of the respective interface. Since the router doesn’t check the source IP address it is possible for attackers to spoof the source IP address and send packets that normally might have been dropped by the firewall or an access-list.
uRPF can work basically in two modes as follows:
Both the condition need to be matched in case of the strict mode and only then the packet will be accepted.
In loose mode only the above condition needs fulfillment in order for the packet to be accepted.
Let us configure this feature in a simple topology as below to understand further
R1 has a static route to reach R2’s Lo0 interface.
R1 has enabled uRPF on both of its interfaces Fa0/0 & Fa1/0.Routing table on R1:
R1#sh ip route
We have configured the strict mode for now as we have used option ‘rx’ , hence both conditions for Strict mode should be satisfied.
We ping R1 from R2 using Lo0 as source and see we can ping successfully as both conditions for strict mode satisfy.
R2#ping 220.127.116.11 source lo0
R1# sh ip int fa0/0 | i drops
Now we can configure a Lo0 on R3 as well with same IP 18.104.22.168.
Then we try to ping from R3 to R1 and see it fails since it only satisfies one condition of source IP being in routing table but fails on the second condition.
R3#ping 22.214.171.124 so lo0
R1# sh ip int fa1/0 | i drops
In order to enable the loose mode we can simply use the command as below on the interface: