Unicast Reverse Path Forwarding
uRPF is design to help protect layer 3 devices from malicious traffic by checking reachability of the source IP address. If uRPF is enabled Layer 3 device will check incoming traffic against FIB (CEF) table the source IP is reachable. This will stop spoofed traffic passing via LAYER 3 device. There are two modes for uRPF, strict and loose. In strict mode source IP of the packet arriving on the interface needs be reachable by interface on which packet arrives. In loose mode source IP can be reachable by any interface. Loose mode is ideal for network with asymmetric routing. Strict mode will be ideal for ISP and Customer edge network.
Configuration:
First enable IP Cisco Express Forwarding switching on your device if it is not already enabled:
Router(config)# ip cef
Enable uRPF on Fastethernet 0/0
in Loose Mode:
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip verify unicast source reachable-via any
in Strict Mode:
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip verify unicast source reachable-via rx
Option:
allow-default - allow to use default gateway
allow-self-ping - allow ping interface
list - implement access control list
Show Command:
show cef interface FastEthernet 0/0
Enable uRPF on Cisco ASA and FWSM
CLI:
ip verify reverse-path interface interface_name
Show command:
ASA5520# show ip verify statistics
interface outside: 21 unicast rpf drops
interface inside: 2738 unicast rpf drops
interface vpn: 0 unicast rpf drops