cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1562
Views
25
Helpful
8
Replies

Source ip mismatch

What would happen if a router receives a packet with source IP different from the router's interface subnet. 

does the router drop the packet or will forward according to the destination ip regardless of the source ip mismatch.

5 Accepted Solutions

Accepted Solutions

IP source and destiantion never change when packet forward from router to router, the mac address only change, 
so sure it can happened receive packet with source IP different than subnet of interface, and router drop packet only if the destination is unreachable. 

View solution in original post

If you want the router to drop packets when they don't match the routing table, you can apply the

ip verify unicast reverse-path 

to the interface. Use that with care if there are down stream links to other networks. If there are only hosts on the interface in question, I almost always apply that command.

View solution in original post

Joseph W. Doherty
Hall of Fame
Hall of Fame

Although @MHM Cisco World answers this, sometimes another explanation, put a bit differently, helps clarify the point.

"What would happen if a router receives a packet with source IP different from the router's interface subnet."

Generally, nothing, i.e. normally router doesn't care.

Possibly you're thinking about a gateway router, where there are multiple hosts on the same network as the router interface, sending to it.  That's correct, but for routing, a router doesn't normally even concern itself with the packet's source IP.

For non-gateway routers, generally all the received packets have a source IP not on the same network as the interface that received it.

"does the router drop the packet or will forward according to the destination ip regardless of the source ip mismatch."

Again, as router doesn't generally care about source IP, it will do whatever it would do based on destination IP.

View solution in original post

". . . and router drop packet only if the destination is unreachable."

Although @MHM Cisco World is correct, a router will drop a packet when destination is unreachable, at least in the ICMP sense, there are six different destination unreachable message types.  I'm not going to further try to explain them, but why/when they are triggered are bound to how a router processes a destination IP.

View solution in original post

Just to expand a bit on @Elliot Dierksen mention of the

ip verify unicast reverse-path

command, which does need to be used with care, basically it simply works by checking a received packet's source IP against the interface it was received on.  If the router would send to the source IP using the same interface, all good.  If not, packet dropped.

Generally in the case where the source IP matched the network of the receiving interface's that would be expected.  When they don't match, is when you have a chance that this function will drop a packet.

View solution in original post

8 Replies 8

IP source and destiantion never change when packet forward from router to router, the mac address only change, 
so sure it can happened receive packet with source IP different than subnet of interface, and router drop packet only if the destination is unreachable. 

". . . and router drop packet only if the destination is unreachable."

Although @MHM Cisco World is correct, a router will drop a packet when destination is unreachable, at least in the ICMP sense, there are six different destination unreachable message types.  I'm not going to further try to explain them, but why/when they are triggered are bound to how a router processes a destination IP.

Thanks alot, all clear now.

If you want the router to drop packets when they don't match the routing table, you can apply the

ip verify unicast reverse-path 

to the interface. Use that with care if there are down stream links to other networks. If there are only hosts on the interface in question, I almost always apply that command.

Just to expand a bit on @Elliot Dierksen mention of the

ip verify unicast reverse-path

command, which does need to be used with care, basically it simply works by checking a received packet's source IP against the interface it was received on.  If the router would send to the source IP using the same interface, all good.  If not, packet dropped.

Generally in the case where the source IP matched the network of the receiving interface's that would be expected.  When they don't match, is when you have a chance that this function will drop a packet.

Thanks alot Joseph. all clear

Thanks alot Elliot.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Although @MHM Cisco World answers this, sometimes another explanation, put a bit differently, helps clarify the point.

"What would happen if a router receives a packet with source IP different from the router's interface subnet."

Generally, nothing, i.e. normally router doesn't care.

Possibly you're thinking about a gateway router, where there are multiple hosts on the same network as the router interface, sending to it.  That's correct, but for routing, a router doesn't normally even concern itself with the packet's source IP.

For non-gateway routers, generally all the received packets have a source IP not on the same network as the interface that received it.

"does the router drop the packet or will forward according to the destination ip regardless of the source ip mismatch."

Again, as router doesn't generally care about source IP, it will do whatever it would do based on destination IP.

Review Cisco Networking for a $25 gift card