Unicast Reverse Path Forwarding (uRPF) ACL

Answered Question
Jun 1st, 2011

I have a requirement to insure that outbound traffic comes only from known hosts on the subnets of my network.  I can do this by using an inbound ACL on each port or using uRPF.  Using uRPF would be a worthwhile option of I could use one (1) ACL for all instances. 

Assume that ip cef, static routes, no alternate routing is implemented, and all I want to do is block traffic I should not see on that port.  Could I set up uRPF this way?

Interface fastethernet 1/0

Ip address 192.168.254.252 255.255.255.0
ip verify unicast source reachable-via rx 113

Interface fastethernet 1/1 - 14

Ip address 192.168.253 - 239.252 255.255.255.0
ip verify unicast source reachable-via rx 113


Interface fastethernet 1/15

Ip address 192.168.238.252 255.255.255.0
ip verify unicast source reachable-via rx 113

access-list 113 deny ip any any log

I have this problem too.
0 votes
Correct Answer by Cadet Alain about 2 years 10 months ago

Hi,

I've just labbed it and it is working ok with the same ACL on different interfaces.

Regards.

Alain.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Cadet Alain Wed, 06/01/2011 - 06:32

Hi,

"If an ACL is specified in the command, then when (and only when) a  packet fails the Unicast RPF check, the ACL is checked to see if the  packet should be dropped (using a deny statement in the ACL) or  forwarded (using a permit statement in the ACL). Whether a packet is  dropped or forwarded, the packet is counted in the global IP traffic  statistics for Unicast RPF drops and in the interface statistics for  Unicast RPF.

If no ACL is specified in the Unicast RPF command, the router drops the  forged or malformed packet immediately and no ACL logging occurs. The  router and interface Unicast RPF counters are updated."

So the question is , is  the ACL needed here ? IMHO I don't think so but you can leave it here as the only thing it could do is raise the CPU load but it won't change the router reaction to a spoofed IP.

Regards.

Alain.

manuel.dennis Wed, 06/01/2011 - 07:18

Hi Alain.

I understand what you are saying, but it is not quite the answer to my question.

In no cases will traffic from a host that does not have a path through the interface be permitted.  However, local policy is that any traffic that is dropped or blocked must be logged, so I do need an ACL.

My question is, if I implement uRPF on each internal interface, can I use a common ACL for all uRPF/interface implementations (i.e. can all implementations share one (1) ACL), or do I need a seperate ACL for each uRPF/interface implementation?

If it's the former, I can save some bits and time using uRPF.  If it's the latter, there is no point using uRPF.  I may as well use an ACL on each interface and be done.

Respectfully

Manny

Cadet Alain Wed, 06/01/2011 - 07:43

Hi,

in the snippet tou posted you were denying everything so my answer.

The ACL used in the uRPF is only used if there is a uRPF failure to let some addresses pass or not even in case of uRPF failure.

Anyway if you want to log traffic going through an ACL you must add the log keyword which was not in the example you gave.

What exactly do you want to achieve: anti spoofing only or firewalling + anti spoofing ?

Regards.

Alain.

manuel.dennis Wed, 06/01/2011 - 08:50

Hi again,

What I am trying to do is restrict traffic from my network segments entering my router to only that comming from hosts that should be on those segments.

I could do that with an ACL for each port, but I was hoping that using uRPF would require less CLI work.

I understand that the ACL is only checked if uRPF fails to authenticate the source address.  If that happens I need to log that event.  That is the only purpose of my using an ACL with uRPF.  So, if I need a unique ACL for each port, it is not worth the effort to use uRPF.  If I can, it is.

My question is, since the ACL will be the same for all ports, can I get away with one ACL?

(If you check my orginal entry you will see that the ACL deny statement ends with the log keyword.)

Thanks

Manny

Cadet Alain Wed, 06/01/2011 - 09:57

Hi,

Yes indeed there was the log keyword at the end didn't noticed at first sight.

IMHO you can do with one ACL for every port but I haven't tried this yet so if I can I will lab it this evening to confirm or not.

Regards.

Alain.

manuel.dennis Wed, 06/01/2011 - 10:28

Hi,

Thanks.

I don't have a LAB to try it in.  If you can get to it, I'll look for a post on the result tomorrow.

Manny

Correct Answer
Cadet Alain Wed, 06/01/2011 - 13:03

Hi,

I've just labbed it and it is working ok with the same ACL on different interfaces.

Regards.

Alain.

Actions

Login or Register to take actions

This Discussion

Posted June 1, 2011 at 5:59 AM
Stats:
Replies:8 Avg. Rating:5
Views:1150 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,730
4 7,083
5 6,742
Rank Username Points
140
72
69
65
45