Unicast Rpf Process - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Unicast RPF Process
interface from which the packet was received, the source address might have been modified by the attacker.
If unicast RPF does not find a reverse path for the packet, the packet is dropped.
Note
With unicast RPF, all equal-cost "best" return paths are considered valid, which means that unicast RPF works
where multiple return paths exist, if each path is equal to the others in terms of the routing cost (number of
hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where Enhanced
Interior Gateway Routing Protocol (EIGRP) variants are being used and unequal candidate paths back to the
source IP address exist.
Unicast RPF Process
Unicast RPF has several key implementation principles:
• The packet must be received at an interface that has the best return path (route) to the packet source (a
• IP source addresses at the receiving interface must match the routing entry for the interface.
• Unicast RPF is an input function and is applied only on the input interface of a device at the upstream
You can use unicast RPF for downstream networks, even if the downstream network has other connections
to the Internet.
Caution
Be careful when using optional BGP attributes, such as weight and local preference, because an attacker can
modify the best path back to the source address. Modification would affect the operation of unicast RPF.
When a packet is received at the interface where you have configured unicast RPF and ACLs, the Cisco
NX-OS software performs the following actions:
1. Checks the input ACLs on the inbound interface.
2. Uses unicast RPF to verify that the packet has arrived on the best return path to the source, which it does
by doing a reverse lookup in the FIB table.
3. Conducts a FIB lookup for packet forwarding.
4. Checks the output ACLs on the outbound interface.
5. Forwards the packet.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
440
process called symmetric routing). There must be a route in the FIB that matches the route to the receiving
interface. Static routes, network statements, and dynamic routing add routes to the FIB.
end of a connection.
Configuring Unicast RPF
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
