C H A P T E R
13-11
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
13
Unicast Reverse Path Forwarding
Cisco integrated security systems incorporate a comprehensive selection of feature-rich security
services, offering commercial, enterprise and service provider customers the ability to deploy trusted and
protected business applications and services.
Threat defense is a critical aspect of an integrated security approach and involves the implementation of
proactive measures. One valuable threat defense tool is unicast Reverse Path Forwarding (uRPF).
The key function of uRPF is to verify that the path of an incoming packet is consistent with the local
packet forwarding information. This is achieved by performing a reverse path look-up (hence the
feature’s name) using the source IP address of an incoming packet to determine the current path
(adjacency) to that IP address. The validity of this path determines whether uRPF passes or drops the
packet.
The specific uRPF path validation criteria that is used to determine path consistency is dependent upon
the particular uRPF mode enabled on an interface.
Table 13-1
shows two uRPF modes which are
supported by Cisco 10000 series routers.
If the path is:
•
Valid—the packet will be passed.
•
Invalid—the packet is silently discarded.
uRPF uses the Cisco Express Forwarding (CEF) Forwarding Information Base (FIB) to perform reverse
path look-up on the source IP address of an incoming packet. The CEF FIB is a database of network layer
routing information and associated forwarding/adjacency information used in the CEF switching of
packets. The CEF FIB is populated with the path for all known IP prefixes and their associated
adjacencies. It is thus a key element of uRPF reverse path validation. After enabled on an interface, uRPF
checks all IP packets on the input path of that interface.
Table 13-1
Three uRPF Modes
uRPF Mode
Path Resolution
Table
uRPF Path Selection Criteria
Strict
CEF FIB
Path to the source IP address must be
through the SAME interface as that on
which the packet arrived
Loose
CEF FIB
Path to the source IP address is through
any
interface on the device