Specifications
IP Switching Commands
ip verify unicast source reachable-via
ISW-70
Cisco IOS IP Switching Command Reference
May 2008
the network of an ISP are likely to have symmetrical reverse paths. Unicast RPF strict mode may still be
applicable in certain multihomed situations, provided that optional Border Gateway Protocol (BGP)
attributes, such as weight and local preference, are used to achieve symmetric routing.
Note With Unicast RPF, all equal-cost “best” return paths are considered valid. This means that Unicast RPF
works in cases where multiple return paths exist, provided that each path is equal to the others in terms
of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast
RPF also functions where Enhanced Internet Gateway Routing Protocol (EIGRP) variants are being used
and unequal candidate paths back to the source IP address exist.
Unicast RPF loose mode may be used on interfaces in which asymmetric paths allow packets from valid
source networks (networks contained in the FIB). Routers that are in the core of the ISP network have
no guarantee that the best forwarding path out of the router will be the path selected for packets returning
to the router.
IP and MAC Address Spoof Prevention on Cisco 7600 Series Routers
In Release 12.2(33)SRC and later, use the l2-src keyword to enable source IPv4 and source MAC address
binding and the phys-if keyword to verify the source IP input interface. To disable source IPv4 and
source MAC address binding, use the no form of the ip verify unicast source reachable-via
command.The phys-if keyword can be used on Gigabit virtual interfaces (GVI) interfaces; the l2-src
keyword can be used on GVI and Ethernet-like interfaces.
If an inbound packet fails either of these security checks, it will be dropped and the Unicast RPF
dropped-packet counter will be incremented. The only exception occurs if a numbered access control
list has been specified as part of the Unicast RPF command in strict mode, and the ACL permits the
packet. In this case the packet will be forwarded and the Unicast RPF suppressed-drops counter will be
incremented.
Note Neither the 12-src nor the phys-if keywords can be used with the loose uRPF command, ip verify
unicast source reachable-via any command.
Possible keyword combinations for Unicast PRF include the following:
allow-default
allow-self-ping
l2-src
phys-if
<
ACL-number
>
allow-default allow-self-ping
allow-default l2-src
allow-default phys-if
allow-default <
ACL-number
>
allow-self-ping l2-src
allow-self-ping phys-if
allow-self-ping <
ACL-number
>
l2-src phys-if
l2-src <
ACL-number
>
phys-if <
ACL-number
>
allow-default allow-self-ping l2-src
allow-default allow-self-ping phys-if
allow-default allow-self-ping <
ACL-number
>
allow-default l2-src phys-if
allow-default l2-src <
ACL-number
>
allow-default phys-if <
ACL-number
>
allow-self-ping l2-src phys-if
allow-self-ping l2-src <
ACL-number
>