Solved: Re: Source ip mismatch

mohammedwahdan66 · ‎10-19-2022

What would happen if a router receives a packet with source IP different from the router's interface subnet.

does the router drop the packet or will forward according to the destination ip regardless of the source ip mismatch.

MHM Cisco World · ‎10-19-2022

IP source and destiantion never change when packet forward from router to router, the mac address only change,
so sure it can happened receive packet with source IP different than subnet of interface, and router drop packet only if the destination is unreachable.

View solution in original post

Elliot Dierksen · ‎10-19-2022

If you want the router to drop packets when they don't match the routing table, you can apply the

ip verify unicast reverse-path

to the interface. Use that with care if there are down stream links to other networks. If there are only hosts on the interface in question, I almost always apply that command.

View solution in original post

Joseph W. Doherty · ‎10-19-2022

Although @MHM Cisco World answers this, sometimes another explanation, put a bit differently, helps clarify the point.

"What would happen if a router receives a packet with source IP different from the router's interface subnet."

Generally, nothing, i.e. normally router doesn't care.

Possibly you're thinking about a gateway router, where there are multiple hosts on the same network as the router interface, sending to it. That's correct, but for routing, a router doesn't normally even concern itself with the packet's source IP.

For non-gateway routers, generally all the received packets have a source IP not on the same network as the interface that received it.

"does the router drop the packet or will forward according to the destination ip regardless of the source ip mismatch."

Again, as router doesn't generally care about source IP, it will do whatever it would do based on destination IP.

View solution in original post

Joseph W. Doherty · ‎10-19-2022

". . . and router drop packet only if the destination is unreachable."

Although @MHM Cisco World is correct, a router will drop a packet when destination is unreachable, at least in the ICMP sense, there are six different destination unreachable message types. I'm not going to further try to explain them, but why/when they are triggered are bound to how a router processes a destination IP.

View solution in original post

Joseph W. Doherty · ‎10-19-2022

Just to expand a bit on @Elliot Dierksen mention of the

ip verify unicast reverse-path

command, which does need to be used with care, basically it simply works by checking a received packet's source IP against the interface it was received on. If the router would send to the source IP using the same interface, all good. If not, packet dropped.

Generally in the case where the source IP matched the network of the receiving interface's that would be expected. When they don't match, is when you have a chance that this function will drop a packet.

View solution in original post

MHM Cisco World · ‎10-19-2022

IP source and destiantion never change when packet forward from router to router, the mac address only change,
so sure it can happened receive packet with source IP different than subnet of interface, and router drop packet only if the destination is unreachable.

Joseph W. Doherty · ‎10-19-2022

". . . and router drop packet only if the destination is unreachable."

Although @MHM Cisco World is correct, a router will drop a packet when destination is unreachable, at least in the ICMP sense, there are six different destination unreachable message types. I'm not going to further try to explain them, but why/when they are triggered are bound to how a router processes a destination IP.

mohammedwahdan66 · ‎10-19-2022

Thanks alot, all clear now.

Elliot Dierksen · ‎10-19-2022

If you want the router to drop packets when they don't match the routing table, you can apply the

ip verify unicast reverse-path

to the interface. Use that with care if there are down stream links to other networks. If there are only hosts on the interface in question, I almost always apply that command.

Joseph W. Doherty · ‎10-19-2022

Just to expand a bit on @Elliot Dierksen mention of the

ip verify unicast reverse-path

command, which does need to be used with care, basically it simply works by checking a received packet's source IP against the interface it was received on. If the router would send to the source IP using the same interface, all good. If not, packet dropped.

Generally in the case where the source IP matched the network of the receiving interface's that would be expected. When they don't match, is when you have a chance that this function will drop a packet.

mohammedwahdan66 · ‎10-19-2022

Thanks alot Joseph. all clear

mohammedwahdan66 · ‎10-19-2022

Thanks alot Elliot.

Joseph W. Doherty · ‎10-19-2022

Although @MHM Cisco World answers this, sometimes another explanation, put a bit differently, helps clarify the point.

"What would happen if a router receives a packet with source IP different from the router's interface subnet."

Generally, nothing, i.e. normally router doesn't care.

Possibly you're thinking about a gateway router, where there are multiple hosts on the same network as the router interface, sending to it. That's correct, but for routing, a router doesn't normally even concern itself with the packet's source IP.

For non-gateway routers, generally all the received packets have a source IP not on the same network as the interface that received it.

"does the router drop the packet or will forward according to the destination ip regardless of the source ip mismatch."

Again, as router doesn't generally care about source IP, it will do whatever it would do based on destination IP.

Source ip mismatch

ISE - Outros Identity Sources

ISE - Active Directory Identity Source

StarOS: gtpp single-source 設定時の注意点

dhcp snooping+IP source guard 问题

单臂路由 NATIVE VLAN MISMATCH