9
Restrictions and guidelines
After you disable sending ICMP time exceeded messages, the tracert feature will not be available.
Do no configure both uRPF in strict mode and ECMP routes. A violation might cause that service
packets forwarded based on ECMP routes are mistakenly dropped.
By default, interfaces on the device are disabled (in
ADM
or
Administratively Down
state). To have
an interface operate, you must use the
undo shutdown
command to enable that interface.
Procedures
# Specify IP addresses for interfaces. (Details not shown.)
# Enable strict uRPF check.
[DeviceA] ip urpf strict
# Disable sending ICMP time exceeded messages. Sending ICMP time exceeded messages is
disabled by default.
[DeviceA] undo ip ttl-expires enable
Verifying the configuration
1.
Verify that Device A can prevent source address spoofing attacks:
# Verify that Device A can filter out packets with forged source IP addresses. (Details not
shown.)
# Verify the uRPF configuration.
[DeviceA] display ip urpf
Global uRPF configuration information:
Check type: strict
2.
Verify that TTL attack protection functions on Device A:
# Enable ICMP debugging by executing the
debugging ip icmp
command on Device A.
(Details not shown.)
# Use a PC to send packets in which the TTL is 1 to Device A. (Details not shown.)
# Verify that Device A does not display any debugging information and that the PC does not
receive any ICMP time exceeded messages. (Details not shown.)
# Enable sending ICMP time exceeded messages and send packets in which the TTL is 1 to
Device A. (Details not shown.)
# Verify that Device A responds with ICMP time exceeded messages.
<DeviceA> *Aug 14 16:43:31:068 2016 NM-3 SOCKET/7/ICMP: Slot=2;
Time(s):1371221011 ICMP Output:
ICMP Packet: src = 6.0.0.1, dst = 202.101.0.2
type = 11, code = 0 (ttl-exceeded)
Original IP: src = 202.101.0.2, dst = 192.168.0.2
proto = 253, first 8 bytes = 00000000 00000000
Configuration files
#
ip urpf strict
