U Nicast Rpf - HP ProCurve 9304M Security Manual

Figure 9.2 Unicast RPF configuration with an interface identified as external
In this example, interface 2/1 as identified as an external interface. When the HP device compiles the list of
internally learned routes for unicast RPF, it does not include the routes learned on interface 2/1. Note that
identifying an external interface in this way (using the ip verify unicast external-interface command, rather than
the ip verify unicast reverse-path external command) does not enable unicast RPF for incoming packets on the
interface. In the example, unicast RPF CAM entries are not created for routes learned on interface 2/1, and
incoming traffic on interface 2/1 is not permitted or denied using unicast RPF CAM entries.
NOTE: Unicast RPF is supported on HP devices running Enterprise software release 07.8.00 or higher. This
feature is supported on EP devices only. It is not supported on 10 Gigabit Ethernet interfaces.
Configuring Unicast RPF
To configure unicast RPF, you enable it on an interface and specify the interface as external. Note that unicast
RPF applies to incoming traffic on an interface where it is configured.
For example, the following commands enable unicast RPF on interface e 1/1, and identify it as an external
interface:
ProCurveRS# interface e 1/1
ProCurveRS(config-if-e100-1/1)# ip verify unicast reverse-path external
When unicast RPF is enabled on an external interface, packets with source IP addresses that correspond to the
internally learned routes are denied. All other traffic is permitted.
Syntax: [no] ip verify unicast reverse-path external
To identify an interface as an external interface, without enabling unicast RPF on the interface, enter commands
such as the following:
ProCurveRS# interface e 2/1
June 2005
Internet
External Interface
e 1/1 10.10.2.1
External
Interface
e 2/1
192.168.1.1
e 3/1 192.168.3.1
Layer 2 Switch
Network 192.168.30.x
Configuring Unicast RPF
9 - 3