Hi John,

John · ‎01-28-2016

what is the best practice for implementing the anti spoofing in inside or outside? what would be cause if we implemented?

Syed Taukir · ‎01-28-2016

You may check the link from the post

https://supportforums.cisco.com/discussion/10436756/asa-spoofing

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc104

--For ACL's they have to be applied from outside to inside denying RFC1918.

--IP Source guard, DAI and other features need to be applied on the inside.

--For uRPF and ACL logging (ACL log keyword), they require special CPU processing and are process switched by the CPU.

HTH

Syed

Philip D'Ath · ‎01-28-2016

Can you give us a hint what kind of device you have?

John · ‎01-28-2016

ASA 5500 Firewall

Philip D'Ath · ‎01-28-2016

I usually enable it on all interfaces with:

ip verify reverse-path interface <interface>

John · ‎02-08-2016

what would be the impact in our network infrastracture if we run this command?

ip verify reverse-path interface <interface>

Philip D'Ath · ‎02-08-2016

It will drop traffic coming in from that interface that does not have an IP address coming from that subnet, or that would be routed via that subnet.

John · ‎02-08-2016

is there any effect in resources like memory and cpu utilization?. is their any documents?

Philip D'Ath · ‎02-08-2016

The impact is pretty much unmeasurable. I always use it.

Here is the manual entry for it:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i3.html#pgfId-1915749

mvsheik123 · ‎02-08-2016

Hi John,

Enabling this feature should not cause any cpu/memory usage hike. However, per Cisco doc, it may drop legitimate traffic.I never noticed any -ve impact thoughssues though. Check the below link...

http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

hth

MS