Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3840
Views
0
Helpful
9
Replies

Unicast Reverse Path Forwarding (uRPF) ACL

Go to solution
manuel.dennis
Level 1
Level 1

‎06-01-2011 05:59 AM - edited ‎03-06-2019 05:17 PM

I have a requirement to insure that outbound traffic comes only from known hosts on the subnets of my network.  I can do this by using an inbound ACL on each port or using uRPF.  Using uRPF would be a worthwhile option of I could use one (1) ACL for all instances. 

Assume that ip cef, static routes, no alternate routing is implemented, and all I want to do is block traffic I should not see on that port.  Could I set up uRPF this way?

Interface fastethernet 1/0

Ip address 192.168.254.252 255.255.255.0
ip verify unicast source reachable-via rx 113

Interface fastethernet 1/1 - 14

Ip address 192.168.253 - 239.252 255.255.255.0
ip verify unicast source reachable-via rx 113


Interface fastethernet 1/15

Ip address 192.168.238.252 255.255.255.0
ip verify unicast source reachable-via rx 113

access-list 113 deny ip any any log

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to manuel.dennis

‎06-01-2011 01:03 PM

Hi,

I've just labbed it and it is working ok with the same ACL on different interfaces.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎06-01-2011 06:32 AM

Hi,

"If an ACL is specified in the command, then when (and only when) a  packet fails the Unicast RPF check, the ACL is checked to see if the  packet should be dropped (using a deny statement in the ACL) or  forwarded (using a permit statement in the ACL). Whether a packet is  dropped or forwarded, the packet is counted in the global IP traffic  statistics for Unicast RPF drops and in the interface statistics for  Unicast RPF.

If no ACL is specified in the Unicast RPF command, the router drops the  forged or malformed packet immediately and no ACL logging occurs. The  router and interface Unicast RPF counters are updated."

So the question is , is  the ACL needed here ? IMHO I don't think so but you can leave it here as the only thing it could do is raise the CPU load but it won't change the router reaction to a spoofed IP.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
manuel.dennis
Level 1
Level 1
In response to cadet alain

‎06-01-2011 07:18 AM

Hi Alain.

I understand what you are saying, but it is not quite the answer to my question.

In no cases will traffic from a host that does not have a path through the interface be permitted.  However, local policy is that any traffic that is dropped or blocked must be logged, so I do need an ACL.

My question is, if I implement uRPF on each internal interface, can I use a common ACL for all uRPF/interface implementations (i.e. can all implementations share one (1) ACL), or do I need a seperate ACL for each uRPF/interface implementation?

If it's the former, I can save some bits and time using uRPF.  If it's the latter, there is no point using uRPF.  I may as well use an ACL on each interface and be done.

Respectfully

Manny

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to manuel.dennis

‎06-01-2011 07:43 AM

Hi,

in the snippet tou posted you were denying everything so my answer.

The ACL used in the uRPF is only used if there is a uRPF failure to let some addresses pass or not even in case of uRPF failure.

Anyway if you want to log traffic going through an ACL you must add the log keyword which was not in the example you gave.

What exactly do you want to achieve: anti spoofing only or firewalling + anti spoofing ?

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
manuel.dennis
Level 1
Level 1
In response to cadet alain

‎06-01-2011 08:50 AM

Hi again,

What I am trying to do is restrict traffic from my network segments entering my router to only that comming from hosts that should be on those segments.

I could do that with an ACL for each port, but I was hoping that using uRPF would require less CLI work.

I understand that the ACL is only checked if uRPF fails to authenticate the source address.  If that happens I need to log that event.  That is the only purpose of my using an ACL with uRPF.  So, if I need a unique ACL for each port, it is not worth the effort to use uRPF.  If I can, it is.

My question is, since the ACL will be the same for all ports, can I get away with one ACL?

(If you check my orginal entry you will see that the ACL deny statement ends with the log keyword.)

Thanks

Manny

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to manuel.dennis

‎06-01-2011 09:57 AM

Hi,

Yes indeed there was the log keyword at the end didn't noticed at first sight.

IMHO you can do with one ACL for every port but I haven't tried this yet so if I can I will lab it this evening to confirm or not.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
manuel.dennis
Level 1
Level 1
In response to cadet alain

‎06-01-2011 10:28 AM

Hi,

Thanks.

I don't have a LAB to try it in.  If you can get to it, I'll look for a post on the result tomorrow.

Manny

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to manuel.dennis

‎06-01-2011 01:03 PM

Hi,

I've just labbed it and it is working ok with the same ACL on different interfaces.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
manuel.dennis
Level 1
Level 1
In response to cadet alain

‎06-01-2011 01:41 PM

Thank you.

0 Helpful

Go to solution
pingsandeshb1
Level 1
Level 1
In response to cadet alain

‎11-22-2016 04:52 AM

Hi Alain , 

  I am new to URPF , Can you let me know if ACL itslelf could do the job , why URPF was introduced . How Urpf is better than acl in this scenario 

    

Thanks,

Sandesh.B 

0 Helpful
Customers Also Viewed These Support Documents
Top