C H A P T E R
21
Configuring Unicast RPF
This chapter describes how to configure unicast reverse path forwarding (uRPF) on Cisco NX-OS devices.
This chapter includes the following sections:
•
About Unicast RPF, on page 439
•
Licensing Requirements for Unicast RPF, on page 441
•
Guidelines and Limitations for Unicast RPF, on page 441
•
Default Settings for Unicast RPF, on page 442
•
Configuring Unicast RPF for Cisco Nexus 9500 Switches with -R Line Cards, on page 443
•
Configuring Unicast RPF for Cisco Nexus 9300 Switches, on page 444
•
Configuration Examples for Unicast RPF, on page 446
•
Verifying the Unicast RPF Configuration, on page 447
•
Additional References for Unicast RPF, on page 447
About Unicast RPF
The unicast RPF feature reduces problems that are caused by the introduction of malformed or forged (spoofed)
IPv4 or IPv6 source addresses into a network by discarding IPv4 or IPv6 packets that lack a verifiable IP
source address. For example, a number of common types of Denial-of-Service (DoS) attacks, including Smurf
and Tribal Flood Network (TFN) attacks, can take advantage of forged or rapidly changing source IPv4 or
IPv6 addresses to allow attackers to thwart efforts to locate or filter the attacks. Unicast RPF deflects attacks
by forwarding only the packets that have source addresses that are valid and consistent with the IP routing
table.
When you enable unicast RPF on an interface, the switch examines all ingress packets received on that interface
to ensure that the source address and source interface appear in the routing table and match the interface on
which the packet was received. This examination of source addresses relies on the Forwarding Information
Base (FIB).
Unicast RPF is an ingress function and is applied only on the ingress interface of a switch at the upstream end
of a connection.
Note
Unicast RPF verifies that any packet received at a switch interface arrives on the best return path (return route)
to the source of the packet by doing a reverse lookup in the FIB. If the packet was received from one of the
best reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
439