Leaflet
68
OL-11615-01
Note uRPF requires that Cisco Express Forwarding (CEF) is enabled.
An important characteristic of uRPF is that it enables this functionality with minimal operational
overhead and in a scalable, timely manner. In addition, uRPF introduces minimal performance impact to
a device. It is thus a highly attractive alternative to traditional ACLs. The Catalyst 6500 Supervisor
2,
Supervisor 32 and Supervisor 720 support uRPF in hardware.
There are currently two uRPF modes available: strict mode and loose mode. uRPF strict mode requires
that the source IP address of an incoming packet has a reverse path to the same interface as that on which
the packet arrived. uRPF loose mode requires that the source IP address of an incoming packet has a
reverse path to any interface on the device, except null0. By design, uRPF loose mode does not offer the
same degree of source IP address spoofing protection as uRPF strict mode. However, strict mode can be
used in scenarios where loose mode can't. uRPF strict mode should only be used in deployments where
the reverse path entries match the traffic paths, otherwise there is a risk uRPF could drop valid packets.
The PFC2 (Policy Feature Card) supports Unicast RPF check with hardware processing for packets that
have a single return path. The MSFC2 processes traffic in software that has multiple return paths (for
example, load sharing).
The PFC3 provides hardware support for RPF check of traffic from multiple interfaces. With
strict-method Unicast RPF check, the PFC3 supports two parallel paths for all prefixes in the routing
table, and up to four parallel paths for prefixes reached through any of four user-configurable RPF
interface groups (each interface group can contain four interfaces). With loose-method Unicast PRF
check (also known as exist-only method), the PFC3 supports up to eight reverse-path interfaces (the
Cisco IOS software is limited to eight reverse paths in the routing table).
To configure uRPF on a Catalyst 6500 Series switch running Catalyst IOS, use the ip verify unicast
interface command. Use the rx keyword to enable strict check mode, and the any keyword to enable
loose (exist-only) check mode. The allow-default keyword allows the use of the default route for RPF
verification:
Router(config-if)# ip verify unicast source reachable-via {rx | any} [allow-default]
[
list
]
This example shows how to enable Unicast RPF strict check mode on Gigabit Ethernet port 4/2:
Router(config)# interface gigabitethernet 4/2
Router(config-if)# ip verify unicast source reachable-via rx
Router(config-if)# end
Router#
To configure the multiple-path Unicast PRF check mode on a PFC3, use the mls ip cef rpf mpath
command.
When configuring multiple path RPF check, note the following information:
• Punt (default—The PFC3 performs the Unicast PRF check in hardware for up to two interfaces per
prefix. Packets arriving on any additional interfaces are redirected (punted) to the MSFC3 for
Unicast PRF check in software.
• Pass—The PFC3 performs the Unicast PRF check in hardware for single-path and two-path prefixes.
Unicast RPF check is disabled for packets coming from multipath prefixes with three or more
reverse-path interfaces (these packets always pass the Unicast RPF check).