Security Policy And Unicast Rpf - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 37 Configuring Unicast Reverse Path Forwarding
This section provides information about the implementation of Unicast RPF:
•
•
•
•
•

Security Policy and Unicast RPF

Consider the following points in determining your policy for deploying Unicast RPF:
•
•
•
•
Where to Use Unicast RPF
Unicast RPF can be used in any single-homed environment where there is essentially only one access
point out of the network; that is, one upstream connection. Networks having one access point offer the
best example of symmetric routing, which means that the interface where a packet enters the network is
also the best return path to the source of the IP packet. Unicast RPF is best used at the network perimeter
for Internet, intranet, or extranet environments, or in ISP environments for customer network
terminations.
Enterprise Networks with a Single Connection to an ISP
In enterprise networks, one objective of using Unicast RPF for filtering traffic at the input interface (a
process called ingress filtering) is for protection from malformed packets arriving from the Internet.
Traditionally, local networks with one connection to the Internet use ACLs at the receiving interface to
prevent spoofed packets from the Internet from entering their local network.
Security Policy and Unicast RPF, page 37-5
Where to Use Unicast RPF, page 37-5
Routing Table Requirements, page 37-7
Where Not to Use Unicast RPF, page 37-7
Unicast RPF with BOOTP and DHCP, page 37-8
Unicast RPF must be applied at the interface downstream from the larger portion of the network,
preferably at the edges of your network.
The farther downstream you apply Unicast RPF, the finer the granularity you have in mitigating
address spoofing and in identifying the sources of spoofed addresses. For example, applying Unicast
RPF on an aggregation switch helps mitigate attacks from many downstream networks or clients and
is simple to administer, but it does not help identify the source of the attack. Applying Unicast RPF
at the network access server helps limit the scope of the attack and trace the source of the attack;
however, deploying Unicast RPF across many sites does add to the administration cost of operating
the network.
The more entities that deploy Unicast RPF across Internet, intranet, and extranet resources, the
better the chances of mitigating large-scale network disruptions throughout the Internet community,
and the better the chances of tracing the source of an attack.
Unicast RPF will not inspect IP packets encapsulated in tunnels, such as GRE, LT2P, or PPTP.
Unicast RPF must be configured at a home gateway so that Unicast RPF processes network traffic
only after the tunneling and encryption layers have been stripped off the packets.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
About Unicast Reverse Path Forwarding
37-5