ip verify unicast rpf

csc010854800 · ‎10-07-2007

Hi,

Can u specify what does this command exactly do "ip verify unicast rpf" .

Bcz when i remove this command on one of my interface , i start receiving Checksum error messages .

Is there any other alternate for this command..

Thnx in advance.

vijayasankar · ‎10-07-2007

Hi,

This is security feature used as a best practice standard configurations to prevent spoof attacks.

When you put this command under a ip interface, whenever the router/switch receives a incoming traffic on this interfaces, it does the following

1) Will take the source ip address it sees on the incoming packets

2) Check the ip routing table to see whether this interface is the outbound interface to reach that source ip.

3) If the check on step 2 is a success, then the router/switch will allow that packet for processing and further transmission

4) if that check on step 2 fails, then it might be a indicator for spoofed packet, claiming a false source ip address, hence the packet will be dropped.

Due to this nature, We should be very careful when applying this command, if the network has any assymetric routing.

Please provide more captures/cli outputs related to your checksum error messages, to verify the problem in your scenario.

Hope this helps.

-VJ

atif-siddiqui · ‎10-28-2007

what is the difference between this command and the one with vrf in it:

ip verify unicast source reachable-via any allow-self-ping

Can this command be used iwht VRF interfaces?