Cisco Catalyst 4500 series Administration Manual page 878
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
About Unicast Reverse Path Forwarding
ACLs work well for many single-homed customers; however, there are trade-offs when ACLs are used
as ingress filters, including two commonly referenced limitations:
•
Packet per second (PPS) performance at very high packet rates
Note
•
Maintenance of the ACL (whenever new addresses are added to the network)
Unicast RPF is one tool that addresses both of these limitations. With Unicast RPF, ingress filtering is
done at CEF PPS rates. This processing speed makes a difference when the link is more than 1 Mbps.
Additionally, since Unicast RPF uses the FIB, no ACL maintenance is necessary, and thus the
administration overhead of traditional ACLs is reduced. The following figure and example demonstrate
how Unicast RPF is configured for ingress filtering.
Figure 36-3
Unicast RPF is applied at interface Gigabit Ethernet 1/1 on the Enterprise switch for protection from
malformed packets arriving from the Internet. Unicast RPF is also applied at interface
Gigabit Ethernet 2/1 on the ISP switch for protection from malformed packets arriving from the
enterprise network.
Figure 36-3
Enterprise
Using the topography in
ISP switch appears as follows:
interface Gigabit Ethernet 2/1
description Link to Enterprise Network
ip address 192.168.3.1 255.255.255.255
no switchport
ip address 10.1.1.2 255.255.255.0
ip verify unicast source reachable-via rx allow-default
The gateway switch configuration of the enterprise network (assuming that CEF is turned on) appears as
follows:
interface Gigabit Ethernet 1/2
description ExampleCorp LAN
ip address 192.168.10.1 255.255.252.0
no ip redirects
no ip directed-broadcast
no ip proxy-arp
interface Gigabit Ethernet 1/1
description Link to Internet
no switchport
ip address 10.1.1.1 255.255.255.0
ip verify unicast source reachable-via allow-default
no ip proxy-arp
no ip redirects
no ip directed-broadcast
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
36-6
This restriction applies only to software packet forwarding. Hardware packet forwarding is the
same on both ACL and uRPF.
illustrates an enterprise network that has a single link to an upstream ISP. In this example,
Enterprise Network Using Unicast RPF for Ingress Filtering
G1/2
G1/1
network
Figure
36-3, a typical configuration (assuming that CEF is turned on) on the
Chapter 36
G2/1
Internet
Upstream
ISP
Configuring Unicast Reverse Path Forwarding
OL_28731-01
Advertisement
Chapters
Table of Contents
Troubleshooting
