C H A P T E R 34 Configuring Unicast Reverse Path Forwarding - Cisco Catalyst 4500 Series Configuration Manual

About Unicast Reverse Path Forwarding
Smurf and Tribal Flood Network (TFN), can take advantage of forged or rapidly changing source IP
addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers
(ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that
have source addresses that are valid and consistent with the IP routing table. This action protects the
network of the ISP, its customer, and the rest of the Internet.
This section covers the following information:
•
•
•
•
•
How Unicast RPF Works
When Unicast RPF is enabled on an interface, the switch examines all packets received as input on that
interface to make sure that the source address and source interface appear in the routing table and match
the interface on which the packet was received. This ability to look backwards is available only when
Cisco Express Forwarding (CEF) is enabled on the switch, because the lookup relies on the presence of
the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation.
Unicast RPF is an input function and is applied only on the input interface of a switch at the upstream
Note
end of a connection.
Unicast RPF checks to see if any packet received at a switch interface arrives on the best return path
(return route) to the source of the packet. Unicast RPF does this by doing a reverse lookup in the CEF
table. If the packet was received from one of the best reverse path routes, the packet is forwarded as
normal. If there is no reverse path route on the same interface from which the packet was received, it
might mean that the source address was modified. If Unicast RPF does not find a reverse path for the
packet, the packet is dropped.
With Unicast RPF, all equal-cost "best" return paths are considered valid. This means that Unicast RPF
Note
works in cases where multiple return paths exist, provided that each path is equal to the others in terms
of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast
RPF also functions where EIGRP variants are being used and unequal candidate paths back to the source
IP address exist.
When a packet is received at the interface where Unicast RPF and ACLs have been configured, the
following actions occur:
Step 1 Input ACLs configured on the inbound interface are checked.
Step 2 Unicast RPF checks to see if the packet has arrived on the best return path to the source, which it does
by doing a reverse lookup in the FIB table.
Step 3 CEF table (FIB) lookup is carried out for packet forwarding.
Step 4 Output ACLs are checked on the outbound interface.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
34-2
How Unicast RPF Works, page 34-2
Implementing Unicast RPF, page 34-4
Restrictions, page 34-8
Related Features and Technologies, page 34-8
Prerequisites to Configuring Unicast RPF, page 34-9
Chapter 34 Configuring Unicast Reverse Path Forwarding
OL-25340-01