Solved: In most situations this is a

secureIT · ‎07-10-2015

Dear Team,

I wonder, if there is any service impact for the traffic or high CPU if we configure the below in ASA ?

I know it wont impact, but only to confirm.. Would like to hear the pros and cons.

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

Regards

Rajesh

James Leinweber · ‎07-10-2015

In most situations this is a very good idea, as it helps suppress traffic which is either malicious or mistaken. It will use very little CPU; only a tiny bit on the slow path when the first packet in a flow is processed, and none on the fast path for subsequent packets which match existing xlate entries.

The main potential downside is that in some complex topologies with asymmetric routing due to multiple ASA's with multiple upstream ISP's, it might suppress legitimate traffic.

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

James Leinweber · ‎07-10-2015

In most situations this is a very good idea, as it helps suppress traffic which is either malicious or mistaken. It will use very little CPU; only a tiny bit on the slow path when the first packet in a flow is processed, and none on the fast path for subsequent packets which match existing xlate entries.

The main potential downside is that in some complex topologies with asymmetric routing due to multiple ASA's with multiple upstream ISP's, it might suppress legitimate traffic.

-- Jim Leinweber, WI State Lab of Hygiene

cisco asa RPF / query