U Nicast Rpf - HP ProCurve 9304M Security Manual

Routing switches

Hide thumbs Also See for ProCurve 9304M:

Management and configuration manual (690 pages)

Installation and configuration manual (504 pages)

Installation and getting started manual (348 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

page of 172

/ 172
Contents
Table of Contents
Bookmarks

Table of Contents

Security Guide for ProCurve 9300/9400 Series Routing Switches

ProCurveRS(config-if-e100-2/1)# ip verify unicast external-interface

When an interface is identified as an external interface with this command, it prevents the HP device from creating

RPF CAM entries for routes learned on the interface. Unicast RPF is not performed for incoming packets on the

interface.

Syntax: [no] ip verify unicast external-interface

Specifying a Prefix List for Unicast RPF

When unicast RPF is enabled on an external interface, the HP device compiles a list of the internally learned

routes in the device's routing table and creates unicast RPF CAM entries that deny packets with source IP

addresses corresponding to these routes.

In addition, you can create an IP prefix list containing a list of routes and then specify the IP prefix list as part of the

unicast RPF configuration. When you do this, the HP device creates unicast RPF CAM entries that deny packets

with source IP addresses corresponding to the routes in the IP prefix list, in addition to the internally learned

routes. Using an IP prefix list in this way allows you to configure the device to deny packets from networks other

than internal ones.

For example, the following commands create an IP prefix list called "martians" consisting of three routes:

ProCurveRS(config)# ip prefix-list martians seq 5 deny 0.0.0.0/8 le 32

ProCurveRS(config)# ip prefix-list martians seq 10 deny 10.0.0.0/8 le 32

ProCurveRS(config)# ip prefix-list martians seq 15 deny 127.0.0.0/8 le 32

NOTE: For information on creating IP prefix lists, see the Advanced Configuration and Management Guide for

ProCurve 9300/9400 Series Routing Switches.

The following commands specify the "martians" IP prefix list as part of the unicast RPF configuration for interface

e 1/1:

ProCurveRS# interface e 1/1

ProCurveRS(config-if-1/1)# ip verify unicast reverse-path external prefix-list

martians

Syntax: [no] ip verify unicast reverse-path external prefix-list <name>

This command causes the device to drop packets incoming on interface e 1/1 that have source addresses

corresponding to the routes in the "martians" prefix list (as well as packets with source addresses corresponding

to internally learned routes, as well as the device's loopback address/network).

Displaying Unicast RPF Information

To display information about the CAM entries created for unicast RPF, enter the following command:

ProCurveRS# show ip rpf

Total number of RPF route entries 4

Destination

40.0.0.0

30.0.0.0

192.168.135.0

65.0.0.0

Syntax: show ip rpf [<ipaddr> | <ipaddr>/<mask-length> | <portnum> | <ve>]

9 - 4

NetMask

Port

255.255.255.0

3/9

255.255.255.0

3/9

255.255.255.0

255.255.255.252 3/9

VLAN ID

Deny

32778

32779

32769

32770

June 2005

Table of Contents

Need help?

Do you have a question about the ProCurve 9304M and is the answer not in the manual?

This manual is also suitable for:

J4139aProcurve 9308mJ4874a Procurve 9408sl J4138a J8680a ... Show all

U Nicast Rpf - HP ProCurve 9304M Security Manual

Need help?

Related Manuals for HP ProCurve 9304M

Related Products for HP ProCurve 9304M

This manual is also suitable for:

Table of Contents