Specifications
IP Switching Commands
ipv6 verify unicast source reachable-via
ISW-85
Cisco IOS IP Switching Command Reference
May 2008
ipv6 verify unicast source reachable-via
To verify that a source address exists in the FIB table and enable Unicast Reverse Path Forwarding
(Unicast RPF), use the ipv6
verify unicast source reachable-via command in interface configuration
mode. To disable URPF, use the no form of this command.
ipv6 verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping]
[access-list-name]
no ipv6 verify unicast
Syntax Description
Command Default Unicast RPF is disabled.
Command Modes Interface configuration
Command History
Usage Guidelines The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in loose
checking mode.
Use the ipv6 verify unicast source reachable-via command to mitigate problems caused by malformed
or forged (spoofed) IP source addresses that pass through an IPv6 router. Malformed or forged source
addresses can indicate denial-of-service (DoS) attacks based on source IPv6 address spoofing.
The URPF feature checks to see if any packet received at a router interface arrives on one of the best
return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table.
If URPF does not find a reverse path for the packet, U RPF can drop or forward the packet, depending
on whether an access control list (ACL) is specified in the ipv6 verify unicast source reachable-via
command. If an ACL is specified in the command, then when (and only when) a packet fails the URPF
check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL)
or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the
packet is counted in the global IP traffic statistics for U RPF drops and in the interface statistics for
Unicast RPF.
rx Source is reachable through the interface on which the packet was
received.
any Source is reachable through any interface.
allow-default (Optional) Allows the lookup table to match the default route and use
the route for verification.
allow-self-ping (Optional) Allows the router to ping a secondary address.
access-list-name (Optional) Name of the IPv6 access list. Names cannot contain a
space or quotation mark, or begin with a numeric.
Release Modification
12.2(25)S This command was introduced.
12.2(28)SB This command was integrated into Cisco IOS Release 12.2(28)SB.