cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1311
Views
0
Helpful
1
Replies

uRPF question

andrewswanson
Level 7
Level 7

 

urpf lab

Hello
I setup the above lab to test uRPF on vlan SVIs using a WS-C3850-24P (IOS XE 03.03.02SE cat3k_caa-iosd-universalk9.SPA.150-1.EZ2.pkg) for switch1


I enabled the following debugs:
debug ip cef drops detail
debug ip cef drops rpf


And added the following to vlan 10 svi for rpf:
ip verify unicast source reachable-via rx
ip verify unicast notification threshold 0

TEST 1 The allow-default option isn't enabled for urpf on vlan 10. To check if urpf is working ok I pinged the vlan 10 svi from the switch1 cli:

switch1#ping 10.10.10.1

*Apr 16 08:11:10.641: CEF-Drop: Packet from 10.10.10.1 via Vlan10 -- via-rx
*Apr 16 08:11:10.642: CEF-Drop: packet from 10.10.10.1 via Vlan10: unicast rpf failed.

show ip interface vlan 10 and show ip traffic counters show increments for RPF


TEST2 Spoof a Source IP address in the same range as Lo20 on the laptop using nmap:

nmap -e eth4 -S 10.10.20.22 4.4.4.4


*Apr 16 08:15:11.249: CEF-Drop: Packet from 10.10.20.2 via Vlan10 -- via-rx
*Apr 16 08:15:11.249: CEF-Drop: Packet from 10.10.20.2 (Vl10) to 4.4.4.4, Input feature uRPF

show ip interface vlan 10 and show ip traffic counters show increments for RPF


TEST3 Spoof an arbitary source  IP address on the laptop using nmap:

nmap -e eth4 -S 10.10.60.1 4.4.4.4

No outputs from the debugs and show ip interface vlan 10 and show ip traffic counters do not show increments for RPF.
I disabled rpf on vlan 10 and created a logging acl on  switch1's interface to switch2 to check for this spoofed traffic and could see the acl hits ok. When I re-enable rpf on vlan 10 these acl hits stop.
I also enabled debug ip packet to see what was happening to the spoofed traffic but nothing appeared in the debug. The spoofed traffic is being dropped with rpf enabled but I am seeing nothing in the debugs, logs or counters.

Am I missing something? I repeated the above on a WS-C3750X-24P-E 12.2(58)SE2 with the same results.

Thanks
Andy

 

1 Reply 1

Curtis Weller
Level 1
Level 1

I realize that this is an old post, but I'm looking into deploying uRPF on SVIs and saw this.  There are a few courses I can recommend.  First, sniff the traffic on the laptop.  Check to see if the packets you think you are generating are actually crafted in the manner that you expect.  Check to see what the destination MAC address is, and if it belongs to the SVI interface VLAN 10.  If it doesn't, then the SVI will not receive the traffic.  Next, try debug ip packet.  This is extremely verbose, so don't ever try this on production equipment.  You might find some useful output.  Finally, although most likely redundant, try spanning the incoming traffic from the laptop's connected switch port and sniff the traffic.  This obviously doesn't answer your question, though it should provide you with the tools to answer it yourself.  Of course, the 3850 switch is the buggiest Cisco device I've ever worked with, so make sure you're running the latest recommended code.  Cheers!