Let’s first talk about what happens when a router receives a unicast IP Packet. In order for the router to route that packet, it will ask itself, “In order for me to forward this packet, what’s the Destination IP Address?”.
So the router will use its routing table and determine what that IP Address will be. The important thing to notice is that the router doesn’t care about the Source IP Address. Routing is destination based. Where do you want to go, here’s how to get there. The source is not important. Because of this, spoofing becomes a big problem especially when it comes to DDOS attacks.
Cisco and other vendors have an option called uRFP or Unicast Reverse Path Forwarding to mitigate this issue. As you can guess, this will verify the Source IP packets. How does it verify this? For Cisco, it uses CEF. Cisco Express Forwarding switching must be enabled for Unicast RPF to function. This is also configured on a per interface basis.
There are two modes for uRPF:
1. Strict Mode:
Using CEF, the router verifies the source IP arrived on the same interface it would use to reach that source IP.
2. Loose Mode:
Using CEF, the router verifies the source IP can be reached using ANY interface
Verify Command:
TPA-RT01#show ip interface {INTERFACE} | include verify IP verify source reachable-via RX
Configure Modes:
Strict Mode:
int {INTERFACE} ip verify unicast source reachable-via rx
Loose Mode:
int {INTERFACE} ip verify unicast source reachable-via any
Look for dropped packets:
TPA-RT01#show ip interface {INTERFACE} | include drops 0 verification drops 0 suppressed verification drops
Look at the CEF table:
TPA-RT01# show ip cef 10.0.0.0 255.255.255.0 %Prefix not found Router# show ip cef 10.0.0.0 255.255.255.0 longer-prefixes Prefix Next Hop Interface 10.0.0.1/32 receive 10.0.0.2/32 10.0.1.2 FastEthernet0/1 10.0.0.3/32 10.0.1.6 FastEthernet1/0 10.0.0.4/32 10.0.1.2 FastEthernet0/1 10.0.0.5/32 10.0.1.23 FastEthernet0/0