cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3162
Views
0
Helpful
9
Replies

Unicast Reverse Path Forwarding (uRPF) ACL

manuel.dennis
Level 1
Level 1

I have a requirement to insure that outbound traffic comes only from known hosts on the subnets of my network.  I can do this by using an inbound ACL on each port or using uRPF.  Using uRPF would be a worthwhile option of I could use one (1) ACL for all instances. 

Assume that ip cef, static routes, no alternate routing is implemented, and all I want to do is block traffic I should not see on that port.  Could I set up uRPF this way?

Interface fastethernet 1/0

Ip address 192.168.254.252 255.255.255.0
ip verify unicast source reachable-via rx 113

Interface fastethernet 1/1 - 14

Ip address 192.168.253 - 239.252 255.255.255.0
ip verify unicast source reachable-via rx 113


Interface fastethernet 1/15

Ip address 192.168.238.252 255.255.255.0
ip verify unicast source reachable-via rx 113

access-list 113 deny ip any any log

1 Accepted Solution

Accepted Solutions

Hi,

I've just labbed it and it is working ok with the same ACL on different interfaces.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

9 Replies 9

cadet alain
VIP Alumni
VIP Alumni

Hi,

"If an ACL is specified in the command, then when (and only when) a  packet fails the Unicast RPF check, the ACL is checked to see if the  packet should be dropped (using a deny statement in the ACL) or  forwarded (using a permit statement in the ACL). Whether a packet is  dropped or forwarded, the packet is counted in the global IP traffic  statistics for Unicast RPF drops and in the interface statistics for  Unicast RPF.

If no ACL is specified in the Unicast RPF command, the router drops the  forged or malformed packet immediately and no ACL logging occurs. The  router and interface Unicast RPF counters are updated."

So the question is , is  the ACL needed here ? IMHO I don't think so but you can leave it here as the only thing it could do is raise the CPU load but it won't change the router reaction to a spoofed IP.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain.

I understand what you are saying, but it is not quite the answer to my question.

In no cases will traffic from a host that does not have a path through the interface be permitted.  However, local policy is that any traffic that is dropped or blocked must be logged, so I do need an ACL.

My question is, if I implement uRPF on each internal interface, can I use a common ACL for all uRPF/interface implementations (i.e. can all implementations share one (1) ACL), or do I need a seperate ACL for each uRPF/interface implementation?

If it's the former, I can save some bits and time using uRPF.  If it's the latter, there is no point using uRPF.  I may as well use an ACL on each interface and be done.

Respectfully

Manny

Hi,

in the snippet tou posted you were denying everything so my answer.

The ACL used in the uRPF is only used if there is a uRPF failure to let some addresses pass or not even in case of uRPF failure.

Anyway if you want to log traffic going through an ACL you must add the log keyword which was not in the example you gave.

What exactly do you want to achieve: anti spoofing only or firewalling + anti spoofing ?

Regards.

Alain.

Don't forget to rate helpful posts.

Hi again,

What I am trying to do is restrict traffic from my network segments entering my router to only that comming from hosts that should be on those segments.

I could do that with an ACL for each port, but I was hoping that using uRPF would require less CLI work.

I understand that the ACL is only checked if uRPF fails to authenticate the source address.  If that happens I need to log that event.  That is the only purpose of my using an ACL with uRPF.  So, if I need a unique ACL for each port, it is not worth the effort to use uRPF.  If I can, it is.

My question is, since the ACL will be the same for all ports, can I get away with one ACL?

(If you check my orginal entry you will see that the ACL deny statement ends with the log keyword.)

Thanks

Manny

Hi,

Yes indeed there was the log keyword at the end didn't noticed at first sight.

IMHO you can do with one ACL for every port but I haven't tried this yet so if I can I will lab it this evening to confirm or not.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi,

Thanks.

I don't have a LAB to try it in.  If you can get to it, I'll look for a post on the result tomorrow.

Manny

Hi,

I've just labbed it and it is working ok with the same ACL on different interfaces.

Regards.

Alain.

Don't forget to rate helpful posts.

Thank you.

Hi Alain , 

  I am new to URPF , Can you let me know if ACL itslelf could do the job , why URPF was introduced . How Urpf is better than acl in this scenario 

    

Thanks,

Sandesh.B 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: