Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24908
Views
25
Helpful
14
Replies

ip verify unicast source reachable-via rx

Go to solution
lcaruso
Level 6
Level 6

‎07-30-2011 09:39 AM - edited ‎03-04-2019 01:08 PM

Hi,

I tried using this command on the outside interface of my 887VA dsl interface and it stopped all traffic until I removed it. 

interface ATM0.1 point-to-point
 ip address a.b.c.d 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip verify unicast source reachable-via rx
 atm route-bridged ip
 pvc 0/35 
  encapsulation aal5snap

Is there a way to implement anti-spoofing on this interface or a way to use this command so it works?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-30-2011 10:13 AM

Hello,

Perhaps you need to use the following form:

ip verify unicast source reachable-via rx allow-default

Withot the allow-default, the command will not use the default route for RPF check. Using allow-default, the command allows the RPF check to also accept packets arriving at that interface which match a default route that points back through the same interface.

Best regards,

Peter

View solution in original post

14 Replies 14

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-30-2011 10:13 AM

Hello,

Perhaps you need to use the following form:

ip verify unicast source reachable-via rx allow-default

Withot the allow-default, the command will not use the default route for RPF check. Using allow-default, the command allows the RPF check to also accept packets arriving at that interface which match a default route that points back through the same interface.

Best regards,

Peter

Go to solution
lcaruso
Level 6
Level 6
In response to Peter Paluch

‎07-30-2011 10:58 AM

Thanks much! That that did it.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to lcaruso

‎07-30-2011 11:00 AM

Hello,

I am glad to have helped!

Best regards,

Peter

0 Helpful

Go to solution
Leo Gal
Level 1
Level 1
In response to Peter Paluch

‎05-17-2018 09:27 AM

Hi Peter

 

I would like to ask one more additional question to this topic please.

Does

ip verify unicast source reachable-via rx

have any impact if used with allow-default option? (presuming that DG is pointing to the interface)

Cause from my pov it will allow everything that comes in from

the interface to which the DG is pointing. 

So removing the command ip verify source unicast reachable-via rx allow-default

will basically do the same as having it there => allow all the traffic.

Can you please help understand?

Thank you

LG

0 Helpful

Go to solution
e.ciollaro
Level 4
Level 4
In response to Leo Gal

‎05-17-2018 01:25 PM

Hi
configuring uRPF in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the folliwng class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful

Go to solution
e.ciollaro
Level 4
Level 4
In response to e.ciollaro

‎05-17-2018 09:59 PM

Sorry I had some problem with browser and the post appears three time :-(
0 Helpful

Go to solution
Leo Gal
Level 1
Level 1
In response to e.ciollaro

‎05-18-2018 01:40 AM

that happens, no problem.

 

Just for confirmation

if I use 

ip verify source unicast reachable-via rx 

on intf where my DG is pointing to (intf X) WITHOUT allow-default, the router would need to have the fib entry for each and every source IP that comes in and that entry would need to be pointing to intf X.

(which is not feasible, unless the router learns the whole inet table)

If I use allow-default option, the router is happy to use my DG for RPF checks of source IPs and lets

everything in except the sources you mentioned. 

Do I understand it correctly, that rx allow-default means that the DG must be pointing to the interface I am receiving the packets on?

If I had the DG pointing to intf A and I configured xxxx ANY allow-default on intf B , would that work?

 

Thanks for your time!

LG

 

 

Go to solution
e.ciollaro
Level 4
Level 4
In response to Leo Gal

‎05-18-2018 02:30 AM

Hi,

"if I use
ip verify source unicast reachable-via rx
on intf where my DG is pointing to (intf X) WITHOUT allow-default, the router would need to have the fib entry for each and every source IP that comes in and that entry would need to be pointing to intf X.
(which is not feasible, unless the router learns the whole inet table)"

Correct

 

"If I use allow-default option, the router is happy to use my DG for RPF checks of source IPs and lets everything in except the sources you mentioned. "

Yes if, of course, the default route point the intX. Note that packets with source ip address 10.x.x.x or 192.168.x.x are dropped unless, for some reason, you have a route for that network using itfX

 

"Do I understand it correctly, that rx allow-default means that the DG must be pointing to the interface I am receiving the packets on?"

Yes

 

"If I had the DG pointing to intf A and I configured xxxx ANY allow-default on intf B , would that work?"

Yes this is the so called loos mode but I think it's not a good idea.

 

Finally consider that you can configure "exceptions" using an ACL:

   ip verify unicast source reachable-via rx allow-default <acl>

 

This way traffic that would be dropped is forwarded if match a permit clause in the ACL

"If an ACL is specified in the command, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF. " http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#wp1745281618

 

Bye,

e

Go to solution
Leo Gal
Level 1
Level 1
In response to e.ciollaro

‎05-18-2018 02:35 AM

Fantastic!!!!

thank you very much.

Best regards

Leo

0 Helpful

Go to solution
e.ciollaro
Level 4
Level 4
In response to Leo Gal

‎05-18-2018 02:43 AM

you're welcome :-)

enrico
0 Helpful

Go to solution
randreetta
Level 1
Level 1
In response to Leo Gal

‎07-01-2021 04:03 AM

... exactly, it's like not having configured anything at all. So why configuring it ? It looks like nobody answered your question, because nobody understood it.

 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to randreetta

‎07-01-2021 05:13 AM - edited ‎07-01-2021 05:14 AM

Hello @randreetta 
You wouldn’t apply strict mode and allow default on a single rtr with a single wan interface but you could append strict mode only to a lan interface of the same rtr and maybe loose mode with allow-default on asymmetric links, (meaning traffic egress one path and ingress via an alternative path)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
e.ciollaro
Level 4
Level 4
In response to Leo Gal

‎05-17-2018 01:28 PM

Hi
configuring uRPF check in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the folliwng class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful
0 Helpful

Go to solution
e.ciollaro
Level 4
Level 4
In response to Leo Gal

‎05-17-2018 01:30 PM

Hi
configuring uRPF check in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the following class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card