Unicast reverse path forwarding, C h a p t e r, Chapter 13, “unicast reverse path forwarding – Cisco 10000 User Manual

Page 313

Advertising
background image

C H A P T E R

13-11

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

13

Unicast Reverse Path Forwarding

Cisco integrated security systems incorporate a comprehensive selection of feature-rich security
services, offering commercial, enterprise and service provider customers the ability to deploy trusted and
protected business applications and services.

Threat defense is a critical aspect of an integrated security approach and involves the implementation of
proactive measures. One valuable threat defense tool is unicast Reverse Path Forwarding (uRPF).

The key function of uRPF is to verify that the path of an incoming packet is consistent with the local
packet forwarding information. This is achieved by performing a reverse path look-up (hence the
feature’s name) using the source IP address of an incoming packet to determine the current path
(adjacency) to that IP address. The validity of this path determines whether uRPF passes or drops the
packet.

The specific uRPF path validation criteria that is used to determine path consistency is dependent upon
the particular uRPF mode enabled on an interface.

Table 13-1

shows two uRPF modes which are

supported by Cisco 10000 series routers.

If the path is:

Valid—the packet will be passed.

Invalid—the packet is silently discarded.

uRPF uses the Cisco Express Forwarding (CEF) Forwarding Information Base (FIB) to perform reverse
path look-up on the source IP address of an incoming packet. The CEF FIB is a database of network layer
routing information and associated forwarding/adjacency information used in the CEF switching of
packets. The CEF FIB is populated with the path for all known IP prefixes and their associated
adjacencies. It is thus a key element of uRPF reverse path validation. After enabled on an interface, uRPF
checks all IP packets on the input path of that interface.

Table 13-1

Three uRPF Modes

uRPF Mode

Path Resolution
Table

uRPF Path Selection Criteria

Strict

CEF FIB

Path to the source IP address must be
through the SAME interface as that on
which the packet arrived

Loose

CEF FIB

Path to the source IP address is through
any interface on the device

Advertising
Popular Brands
Popular manuals