Cisco uRPF

Let’s first talk about what happens when a router receives a unicast IP Packet. In order for the router to route that packet, it will ask itself, “In order for me to forward this packet, what’s the Destination IP Address?”.

So the router will use its routing table and determine what that IP Address will be. The important thing to notice is that the router doesn’t care about the Source IP Address. Routing is destination based. Where do you want to go, here’s how to get there. The source is not important. Because of this, spoofing becomes a big problem especially when it comes to DDOS attacks.

Cisco and other vendors have an option called uRFP or Unicast Reverse Path Forwarding to mitigate this issue. As you can guess, this will verify the Source IP packets. How does it verify this? For Cisco, it uses CEF. Cisco Express Forwarding switching must be enabled for Unicast RPF to function. This is also configured on a per interface basis.

There are two modes for uRPF:

1. Strict Mode:
Using CEF, the router verifies the source IP arrived on the same interface it would use to reach that source IP.

2. Loose Mode:
Using CEF, the router verifies the source IP can be reached using ANY interface

Verify Command:

TPA-RT01#show ip interface {INTERFACE} | include verify
  IP verify source reachable-via RX

Configure Modes:
Strict Mode:

  ip verify unicast source reachable-via rx

Loose Mode:

 ip verify unicast source reachable-via any

Look for dropped packets:

TPA-RT01#show ip interface {INTERFACE} | include drops
  0 verification drops
  0 suppressed verification drops

Look at the CEF table:

TPA-RT01# show ip cef
%Prefix not found
Router# show ip cef longer-prefixes
Prefix              Next Hop             Interface         receive             FastEthernet0/1             FastEthernet1/0             FastEthernet0/1            FastEthernet0/0