Specifications

ManualsBrandsCisco ManualsComputer equipmentVIP-4R/4T

111

112

113

114

115

116

117

118

119

120

IP Switching Commands

ipv6 verify unicast reverse-path

ISW-83

Cisco IOS IP Switching Command Reference

May 2008

Unicast Reverse Path Forwarding on a Cisco 12000 Series Internet Router

The following example shows how to enable Unicast RPF for IPv6 with strict checking on a 10G SIP

Gigabit Ethernet interface 2/1/2:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# interface gigabitEthernet 2/1/2

Router(config-if)# ipv6 verify unicast reverse-path

Router(config-if)# exit

Unicast Reverse Path Forwarding on a Single-Homed ISP

The following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and

egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless

interdomain routing (CIDR) block 209.165.202.128/28 that has both inbound and outbound filters on the

upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for

asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be

designed into the filters on the border routers of the ISP.

interface Serial 5/0/0

description Connection to Upstream ISP

ipv6 address FE80::260:3EFF:FE11:6770/64

no ipv6 redirects

ipv6 verify unicast reverse-path abc

ipv6 access-list abc

permit ipv6 host 2::1 any

deny ipv6 FEC0::/10 any

ipv6 access-group abc in

ipv6 access-group jkl out

access-list abc permit ip FE80::260:3EFF:FE11:6770/64 2001:0DB8:0000:0001::0001any

access-list abc deny ipv6 any any log

access-list jkl deny ipv6 host 2001:0DB8:0000:0001::0001 any log

access-list jkl deny ipv6 2001:0DB8:0000:0001:FFFF:1234::5.255.255.255 any log

access-list jkl deny ipv6 2002:0EF8:002001:0DB8:0000:0001:FFFF:1234::5172.16.0.0

0.15.255.255 any log

access-list jkl deny ipv6 2001:0CB8:0000:0001:FFFF:1234::5 0.0.255.255 any log

access-list jkl deny ipv6 2003:0DB8:0000:0001:FFFF:1234::5 0.0.0.31 any log

access-list jkl permit ipv6

ACL Logging with Unicast RPF

The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example,

extended ACL abc provides entries that deny or permit network traffic for specific address ranges.

Unicast RPF is configured on interface Ethernet 0/0 to check packets arriving at that interface.

For example, packets with a source address of 8765:4321::1 arriving at interface Ethernet 0 are dropped

because of the deny statement in ACL “abc.” In this case, the ACL information is logged (the logging

option is turned on for the ACL entry) and dropped packets are counted per-interface and globally.

Packets with a source address of 1234:5678::1 arriving at interface Ethernet 0/0 are forwarded because

of the permit statement in ACL abc. ACL information about dropped or suppressed packets is logged

(the logging option is turned on for the ACL entry) to the log server.

interface ethernet 0/0

ipv6 address FE80::260:3EFF:FE11:6770/64 link-local

ipv6 verify unicast reverse-path abc

ipv6 access-list abc