10-07-2007 10:03 PM - edited 03-03-2019 07:04 PM
Hi,
Can u specify what does this command exactly do "ip verify unicast rpf" .
Bcz when i remove this command on one of my interface , i start receiving Checksum error messages .
Is there any other alternate for this command..
Thnx in advance.
10-07-2007 10:38 PM
Hi,
This is security feature used as a best practice standard configurations to prevent spoof attacks.
When you put this command under a ip interface, whenever the router/switch receives a incoming traffic on this interfaces, it does the following
1) Will take the source ip address it sees on the incoming packets
2) Check the ip routing table to see whether this interface is the outbound interface to reach that source ip.
3) If the check on step 2 is a success, then the router/switch will allow that packet for processing and further transmission
4) if that check on step 2 fails, then it might be a indicator for spoofed packet, claiming a false source ip address, hence the packet will be dropped.
Due to this nature, We should be very careful when applying this command, if the network has any assymetric routing.
Please provide more captures/cli outputs related to your checksum error messages, to verify the problem in your scenario.
Hope this helps.
-VJ
10-28-2007 08:26 AM
what is the difference between this command and the one with vrf in it:
ip verify unicast source reachable-via any allow-self-ping
Can this command be used iwht VRF interfaces?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide