Specifications

ManualsBrandsCisco ManualsComputer equipmentVIP-4R/4T

100

IP Switching Commands

ip verify unicast reverse-path

ISW-65

Cisco IOS IP Switching Command Reference

May 2008

For example, routers at the edge of the network of an ISP are more likely to have symmetrical reverse

paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network

have no guarantee that the best forwarding path out of the router will be the path selected for packets

returning to the router. In this scenario, you should use the new form of the command, ip verify unicast

source reachable-via, if there is a chance of asymmetrical routing.

Examples The following example shows that the Unicast Reverse Path Forwarding feature has been enabled on a

serial interface:

ip cef

! or "ip cef distributed" for RSP+VIP based routers

interface serial 5/0/0

ip verify unicast reverse-path

The following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and

egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless

interdomain routing (CIDR) block 192.168.202.128/28 that has both inbound and outbound filters on the

upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for

asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be

designed into the filters on the border routers of the ISP.

ip cef distributed

interface Serial 5/0/0

description Connection to Upstream ISP

ip address 192.168.200.225 255.255.255.255

no ip redirects

no ip directed-broadcast

no ip proxy-arp

ip verify unicast reverse-path

ip access-group 111 in

ip access-group 110 out

access-list 110 permit ip 192.168.202.128 10.0.0.31 any

access-list 110 deny ip any any log

access-list 111 deny ip host 10.0.0.0 any log

access-list 111 deny ip 172.16.0.0 255.255.255.255 any log

access-list 111 deny ip 10.0.0.0 255.255.255.255 any log

access-list 111 deny ip 172.16.0.0 255.255.255.255 any log

access-list 111 deny ip 192.168.0.0 255.255.255.255 any log

access-list 111 deny ip 209.165.202.129 10.0.0.31 any log

access-list 111 permit ip any any

The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example,

extended ACL 197 provides entries that deny or permit network traffic for specific address ranges.

Unicast RPF is configured on interface Ethernet 0 to check packets arriving at that interface.

For example, packets with a source address of 192.168.201.10 arriving at interface Ethernet 0 are

dropped because of the deny statement in ACL 197. In this case, the ACL information is logged (the

logging option is turned on for the ACL entry) and dropped packets are counted per-interface and

globally. Packets with a source address of 192.168.201.100 arriving at interface Ethernet 0 are forwarded

because of the permit statement in ACL 197. ACL information about dropped or suppressed packets is

logged (the logging option is turned on for the ACL entry) to the log server.

ip cef distributed

int eth0/1/1

ip address 192.168.200.1 255.255.255.255