Licensing Requirements For Unicast Rpf; Guidelines And Limitations For Unicast Rpf - Cisco Nexus 9000 Series Configuration Manual

Configuring Unicast RPF

Licensing Requirements for Unicast RPF

Product
Cisco
NX-OS

Guidelines and Limitations for Unicast RPF

Unicast RPF (uRPF) has the following configuration guidelines and limitations:
• uRPF is supported for the following platforms:
• Beginning with Cisco NX-OS Release 9.2(1), uRPF is supported for Cisco Nexus 9300-EX Series
• You must apply uRPF at the interface downstream from the larger portion of the network, preferably at
• The further downstream that you apply uRPF, the finer the granularity you have in mitigating address
• The more entities that deploy uRPF across Internet, intranet, and extranet resources means the better the
• uRPF will not inspect IP packets that are encapsulated in tunnels, such as generic routing encapsulation
• You can use uRPF in any "single-homed" environment where there is only one access point out of the
• Do not use uRPF on interfaces that are internal to the network. Internal interfaces are likely to have
• uRPF allows packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that the Bootstrap
License Requirement
Unicast RPF requires no license. Any feature not included in a license package is bundled
with the nx-os image and is provided at no extra charge to you. For a complete explanation
of the Cisco NX-OS licensing scheme, see the
• Cisco Nexus 9500 Series switches with N9K-X9636C-R and N9K-X9636Q-R line cards.
• Cisco Nexus 9500 Series switches with N9K-X9636C-RX line cards.
• Cisco Nexus 9300 platform switches (excluding the 9300-FXP switches).
switches (for IPv4 only) and on Cisco Nexus 9300-FX/FX2 Series switches (for IPv4 and IPv6).
the edges of your network.
spoofing and in identifying the sources of spoofed addresses. For example, applying uRPF on an
aggregation device helps to mitigate attacks from many downstream networks or clients and is simple
to administer, but it does not help identify the source of the attack. Applying uRPF at the network access
server helps limit the scope of the attack and trace the source of the attack; however, deploying uRPF
across many sites does add to the administration cost of operating the network.
chances of mitigating large-scale network disruptions throughout the Internet community and of tracing
the source of an attack.
(GRE) tunnels. You must configure uRPF at a home gateway so that uRPF processes network traffic
only after the tunneling and encryption layers have been stripped off the packets.
network or one upstream connection. Networks that have one access point provide symmetric routing,
which means that the interface where a packet enters the network is also the best return path to the source
of the IP packet.
routing asymmetry, which means that multiple routes to the source of a packet exist. You should configure
uRPF only where there is natural or configured symmetry.
Protocol (BOOTP) and the Dynamic Host Configuration Protocol (DHCP) can operate correctly.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Licensing Requirements for Unicast RPF
Cisco NX-OS Licensing Guide.
441