Student - Help Understanding with uRPF and IOS Firewall Usage

StevenMH1982 · ‎04-05-2015

Hello all,

Quick question and advanced apologizes is this is the wrong place to post this. Trying to understand Unicast Reverse Path Forwarding I have to ask what is the difference using the two methods below if any? Thank you all in advance for your time to read and help a stranger out.

access-list 101 deny 10.0.0.0 0.255.255.255 any
access-list 101 deny 172.16.0.0 0.15.255.255 any
access-list 101 deny 192.168.0.0 0.0.255.255 any
access-list 101 permit ip any any

interface FastEthernet 4
Description WAN/Outside Zone
ip verify unicast source reachable-via rx 101

versus

interface FastEthernet 4
Description WAN/Outside Zone
ip access-group 101 in

Pranay Prasoon · ‎04-05-2015

This commands check the incoming packet "source ip" and matches in its routing table and sees if this network is reachable only through that interface.

Example

if you have this route in routing table

192.168.1.0/24 via gi0/0

So the traffic from 192.168.1.2 should only come from gi0/0. This is called strict mode.

StevenMH1982 · ‎04-05-2015

Thanks for the reply. Would not both methods (uRPF & static ACL) prevent spoofed traffic from the private IP ranges from ingress traffic to the WAN interface?

Pranay Prasoon · ‎04-05-2015

well uRPF is an intelligent way of avoiding spoofed traffic. Where configring static ACL is difficult unless you have idea of what all ACE you need to create. rpf feature can do it intelligently with the help of routing table. uRPF can also help in avoiding traffic loop where a route is coming back looping from a wrong interface.