Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentVIP-4R/4T
919293949596979899100
IP Switching Commands
ip verify unicast source reachable-via
ISW-68
Cisco IOS IP Switching Command Reference
May 2008
Command History
Usage Guidelines Use the ip verify unicast source reachable-via interface command to mitigate problems caused by
malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged
source addresses can indicate DoS attacks based on source IP address spoofing.
To use Unicast RPF, enable Cisco Express Forwarding or distributed Cisco Express Forwarding in the
router. There is no need to configure the input interface for Cisco Express Forwarding. As long as
Cisco
Express Forwarding is running on the router, individual interfaces can be configured with other
switching modes.
Note It is very important for Cisco Express Forwarding to be configured globally on the router. Unicast RPF
will not work without Cisco Express Forwarding.
Note Unicast RPF is an input function and is applied on the interface of a router only in the ingress direction.
When Unicast RPF is enabled on an interface, the router examines all packets that are received on that
interface. The router checks to make sure that the source address appears in the FIB. If the rx keyword
is selected, the source address must match the interface on which the packet was received. If the any
keyword is selected, the source address must be present only in the FIB. This ability to “look backwards”
is available only when Cisco Express Forwarding is enabled on the router because the lookup relies on
the presence of the FIB. Cisco Express Forwarding generates the FIB as part of its operation.
Note If the source address of an incoming packet is resolved to a null adjacency, the packet will be dropped.
The null interface is treated as an invalid interface by the new form of the Unicast RPF command. The
older form of the command syntax did not exhibit this behavior.
Release Modification
11.1(CC), 12.0 This command was introduced. This command was not included in
Cisco
IOS Release 11.2 or 11.3.
12.1(2)T Added access control list (ACL) support using the list argument. Added
per-interface statistics on dropped or suppressed packets.
12.0(15)S This command replaced the ip verify unicast reverse-path command, and
the following keywords were added: allow-default, allow-self-ping, rx, and
any.
12.1(8a)E This command was integrated into Cisco IOS Release 12.1(8a)E.
12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(14)SX Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB Support for this command was introduced on the Supervisor Engine 2.
12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SRC The l2-src keyword was added to support the source IPv4 and source MAC
address binding feature on Cisco
7600 series routers.
The phys-if keyword was added to support physical input interface
verification. Together, both keywords support the Unicast RPF IP and MAC
Address Spoof Prevention feature.