Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ip verify unicast rpf

Hi,

Can u specify what does this command exactly do "ip verify unicast rpf" .

Bcz when i remove this command on one of my interface , i start receiving Checksum error messages .

Is there any other alternate for this command..

Thnx in advance.

2 REPLIES

Re: ip verify unicast rpf

Hi,

This is security feature used as a best practice standard configurations to prevent spoof attacks.

When you put this command under a ip interface, whenever the router/switch receives a incoming traffic on this interfaces, it does the following

1) Will take the source ip address it sees on the incoming packets

2) Check the ip routing table to see whether this interface is the outbound interface to reach that source ip.

3) If the check on step 2 is a success, then the router/switch will allow that packet for processing and further transmission

4) if that check on step 2 fails, then it might be a indicator for spoofed packet, claiming a false source ip address, hence the packet will be dropped.

Due to this nature, We should be very careful when applying this command, if the network has any assymetric routing.

Please provide more captures/cli outputs related to your checksum error messages, to verify the problem in your scenario.

Hope this helps.

-VJ

New Member

Re: ip verify unicast rpf

what is the difference between this command and the one with vrf in it:

ip verify unicast source reachable-via any allow-self-ping

Can this command be used iwht VRF interfaces?

127
Views
0
Helpful
2
Replies