cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27683
Views
25
Helpful
14
Replies

ip verify unicast source reachable-via rx

lcaruso
Level 6
Level 6

Hi,

I tried using this command on the outside interface of my 887VA dsl interface and it stopped all traffic until I removed it.

interface ATM0.1 point-to-point

ip address a.b.c.d 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting access-violations

ip verify unicast source reachable-via rx

atm route-bridged ip

pvc 0/35

  encapsulation aal5snap

Is there a way to implement anti-spoofing on this interface or a way to use this command so it works?

Thanks.

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

Perhaps you need to use the following form:

ip verify unicast source reachable-via rx allow-default

Withot the allow-default, the command will not use the default route for RPF check. Using allow-default, the command allows the RPF check to also accept packets arriving at that interface which match a default route that points back through the same interface.

Best regards,

Peter

View solution in original post

14 Replies 14

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

Perhaps you need to use the following form:

ip verify unicast source reachable-via rx allow-default

Withot the allow-default, the command will not use the default route for RPF check. Using allow-default, the command allows the RPF check to also accept packets arriving at that interface which match a default route that points back through the same interface.

Best regards,

Peter

Thanks much! That that did it.

Hello,

I am glad to have helped!

Best regards,

Peter

Hi Peter

 

I would like to ask one more additional question to this topic please.

Does

ip verify unicast source reachable-via rx

have any impact if used with allow-default option? (presuming that DG is pointing to the interface)

Cause from my pov it will allow everything that comes in from

the interface to which the DG is pointing. 

So removing the command ip verify source unicast reachable-via rx allow-default

will basically do the same as having it there => allow all the traffic.

Can you please help understand?

Thank you

LG

Hi
configuring uRPF in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the folliwng class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful

Sorry I had some problem with browser and the post appears three time :-(

that happens, no problem.

 

Just for confirmation

if I use 

ip verify source unicast reachable-via rx 

on intf where my DG is pointing to (intf X) WITHOUT allow-default, the router would need to have the fib entry for each and every source IP that comes in and that entry would need to be pointing to intf X.

(which is not feasible, unless the router learns the whole inet table)

If I use allow-default option, the router is happy to use my DG for RPF checks of source IPs and lets

everything in except the sources you mentioned. 

Do I understand it correctly, that rx allow-default means that the DG must be pointing to the interface I am receiving the packets on?

If I had the DG pointing to intf A and I configured xxxx ANY allow-default on intf B , would that work?

 

Thanks for your time!

LG

 

 

Hi,

"if I use
ip verify source unicast reachable-via rx
on intf where my DG is pointing to (intf X) WITHOUT allow-default, the router would need to have the fib entry for each and every source IP that comes in and that entry would need to be pointing to intf X.
(which is not feasible, unless the router learns the whole inet table)"

Correct

 

"If I use allow-default option, the router is happy to use my DG for RPF checks of source IPs and lets everything in except the sources you mentioned. "

Yes if, of course, the default route point the intX. Note that packets with source ip address 10.x.x.x or 192.168.x.x are dropped unless, for some reason, you have a route for that network using itfX

 

"Do I understand it correctly, that rx allow-default means that the DG must be pointing to the interface I am receiving the packets on?"

Yes

 

"If I had the DG pointing to intf A and I configured xxxx ANY allow-default on intf B , would that work?"

Yes this is the so called loos mode but I think it's not a good idea.

 

Finally consider that you can configure "exceptions" using an ACL:

   ip verify unicast source reachable-via rx allow-default <acl>

 

This way traffic that would be dropped is forwarded if match a permit clause in the ACL

"If an ACL is specified in the command, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF. " http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#wp1745281618

 

Bye,

e

Fantastic!!!!

thank you very much.

Best regards

Leo

you're welcome :-)

enrico

... exactly, it's like not having configured anything at all. So why configuring it ? It looks like nobody answered your question, because nobody understood it.

 

Hello @randreetta 
You wouldn’t apply strict mode and allow default on a single rtr with a single wan interface but you could append strict mode only to a lan interface of the same rtr and maybe loose mode with allow-default on asymmetric links, (meaning traffic egress one path and ingress via an alternative path)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi
configuring uRPF check in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the folliwng class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful

Hi
configuring uRPF check in this way can avoid ip spoofing, during an IP spoofing attempt, the attacker fakes his source address in order to appear as part of your internal network. Using uRPF you can block this kind of traffic. Another way to obtain the same goal is using ACL.
Usually at least the following class are dropped: 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4.

Bye,
enrico.

PS rate if useful

Review Cisco Networking for a $25 gift card