Specifications
IP Switching Commands
ip verify unicast source reachable-via
ISW-69
Cisco IOS IP Switching Command Reference
May 2008
Unicast RPF checks to determine whether any packet that is received at a router interface arrives on one
of the best return paths to the source of the packet. If a reverse path for the packet is not found, Unicast
RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast RPF
command. If an ACL is specified in the command, when (and only when) a packet fails the Unicast RPF
check, the ACL is checked to determine whether the packet should be dropped (using a deny statement
in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or
forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the
interface statistics for Unicast RPF.
If no ACL is specified in the ip verify unicast source reachable-via command, the router drops the
forged or malformed packet immediately, and no ACL logging occurs. The router and interface Unicast
RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries that are used by
the ip verify unicast source reachable-via command. Log information can be used to gather
information about the attack, such as source address, time, and so on.
Strict Mode RPF
If the source address is in the FIB and reachable only through the interface on which the packet was
received, the packet is passed. The syntax for this method is ip verify unicast source reachable-via rx.
Exists-Only (or Loose Mode) RPF
If the source address is in the FIB and reachable through any interface on the router, the packet is passed.
The syntax for this method is ip verify unicast source reachable-via any.
Because this Unicast RPF option passes packets regardless of which interface the packet enters, it is
often used on Internet service provider (ISP) routers that are “peered” with other ISP routers (where
asymmetrical routing typically occurs). Packets using source addresses that have not been allocated on
the Internet, which are often used for spoofed source addresses, are dropped by this Unicast RPF option.
All other packets that have an entry in the FIB are passed.
allow-default
Normally, sources found in the FIB but only by way of the default route will be dropped. Specifying the
allow-default keyword option will override this behavior. You must specify the allow-default keyword
in the command to permit Unicast RPF to successfully match on prefixes that are known through the
default route to pass these packets.
allow-self-ping
This keyword allows the router to ping its own interface or interfaces. By default, when Unicast RPF is
enabled, packets that are generated by the router and destined to the router are dropped, thereby, making
certain troubleshooting and management tasks difficult to accomplish. Issue the allow-self-ping
keyword to enable self-pinging.
Caution Caution should be used when enabling the allow-self-ping keyword because this option opens a potential
DoS hole.
Where to Use RPF in Your Network
Unicast RPF strict mode may be used on interfaces in which only one path allows packets from valid
source networks (networks contained in the FIB). Unicast RPF strict mode may also be used in cases for
which a router has multiple paths to a given network, as long as the valid networks are switched via the
incoming interfaces. Packets for invalid networks will be dropped. For example, routers at the edge of