Specifications
IP Switching Commands
ip verify unicast reverse-path
ISW-64
Cisco IOS IP Switching Command Reference
May 2008
Usage Guidelines Use the ip verify unicast reverse-path interface command to mitigate problems caused by malformed
or forged (spoofed) IP source addresses that are received by a router. Malformed or forged source
addresses can indicate denial of service (DoS) attacks on the basis of source IP address spoofing.
When Unicast RPF is enabled on an interface, the router examines all packets that are received on that
interface. The router checks to ensure that the source address appears in the Forwarding Information
Base (FIB) and that it matches the interface on which the packet was received. This “look backwards”
ability is available only when Cisco Express Forwarding (CEF) is enabled on the router because the
lookup relies on the presence of the FIB. CEF generates the FIB as part of its operation.
To use Unicast RPF, enable CEF switching or distributed CEF (dCEF) switching in the router. There is
no need to configure the input interface for CEF switching. As long as CEF is running on the router,
individual interfaces can be configured with other switching modes.
Note It is very important for CEF to be configured globally in the router. Unicast RPF will not work without
CEF.
Note Unicast RPF is an input function and is applied on the interface of a router only in the ingress direction.
The Unicast Reverse Path Forwarding feature checks to determine whether any packet that is received
at a router interface arrives on one of the best return paths to the source of the packet. The feature does
this by doing a reverse lookup in the CEF table. If Unicast RPF does not find a reverse path for the
packet, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the
Unicast Reverse Path Forwarding command. If an ACL is specified in the command, then when (and only
when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should
be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL).
Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for
Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the Unicast Reverse Path Forwarding command, the router drops the forged or
malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF
counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries used by the
Unicast Reverse Path Forwarding command. Log information can be used to gather information about
the attack, such as source address, time, and so on.
Where to Use RPF in Your Network
Unicast RPF may be used on interfaces in which only one path allows packets from valid source
networks (networks contained in the FIB). Unicast RPF may also be used in cases for which a router has
multiple paths to a given network, as long as the valid networks are switched via the incoming interfaces.
Packets for invalid networks will be dropped. For example, routers at the edge of the network of an
Internet Service Provider (ISP) are likely to have symmetrical reverse paths. Unicast RPF may still be
applicable in certain multi-homed situations, provided that optional Border Gateway Protocol (BGP)
attributes such as weight and local preference are used to achieve symmetric routing.
With Unicast RPF, all equal-cost “best” return paths are considered valid. This means that Unicast RPF
works in cases where multiple return paths exist, provided that each path is equal to the others in terms
of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast
RPF also functions where Enhanced Internet Gateway Routing Protocol (EIGRP) variants are being used
and unequal candidate paths back to the source IP address exist.