Manualshelf

User`s guide

ManualsBrandsCisco ManualsComputer equipmentROUTER-SDM-CD
41424344454647484950
Chapter 1 Cisco SDM Express
Supplementary Help
1-36
Cisco SDM Express 2.4 User’s Guide
OL-7141-05
The configuration that will be delivered to the router to enable and configure
logging is as follows, replacing <log buffer size> and <logging server ip
address> with the appropriate values that you enter into Cisco SDM Express:
logging console critical
logging trap debugging
logging buffered
<log buffer size>
logging
<logging server ip address>
Enable Unicast RPF on Outside Interfaces
Cisco SDM Express enables unicast Reverse Path Forwarding (RPF) on all
interfaces that connect to the Internet whenever possible. RPF is a feature that
causes the router to check the source address of any packet against the interface
through which the packet entered the router. If the input interface is not a feasible
path to the source address according to the routing table, the packet will be
dropped. This source address verification is used to defeat IP spoofing.
This works only when routing is symmetric. If the network is designed in such a
way that traffic from host A to host B may normally take a different path than
traffic from host B to host A, the check will always fail, and communication
between the two hosts will be impossible. This sort of asymmetric routing is
common in the Internet core. Ensure that your network does not use asymmetric
routing before enabling this feature.
In addition, unicast RPF can be enabled only when IP Cisco Express Forwarding
is enabled. Cisco SDM Express will check the router configuration to see if IP
Cisco Express Forwarding is enabled. If IP Cisco Express Forwarding is not
enabled, Cisco SDM Express will recommend that IP Cisco Express Forwarding
be enabled and will enable it if the recommendation is approved. If IP
Cisco Express Forwarding is not enabled, by Cisco SDM Express or otherwise,
unicast RPF will not be enabled.
To enable unicast RPF, the following configuration will be delivered to the router
for each interface that connects outside of the private network, replacing
<outside interface> with the interface identifier:
interface
<outside interface>
ip verify unicast reverse-path