RE: ip verify unicast reverse-path

Hi Vincent, not sure if this is a good enough answer but it's what the
master index in the doc cd says...

http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_i1.html#w
p1086125

Strict Mode RPF

If the source address is in the FIB and reachable only through the interface
on which the packet was received, the packet is passed. The syntax for this
method is ip verify unicast source reachable-via rx.

Exists-Only (or Loose Mode) RPF

If the source address is in the FIB and reachable through any interface on
the router, the packet is passed. The syntax for this method is ip verify
unicast source reachable-via any.

Because this Unicast RPF option passes packets regardless of which interface
the packet enters, it is often used on Internet service provider (ISP)
routers that are "peered" with other ISP routers (where asymmetrical routing
typically occurs). Packets using source addresses that have not been
allocated on the Internet, which are often used for spoofed source
addresses, are dropped by this Unicast RPF option. All other packets that
have an entry in the FIB are passed.

allow-default

Normally, sources found in the FIB but only by way of the default route will
be dropped. Specifying the allow-default keyword option will override this
behavior. You must specify the allow-default keyword in the command to
permit Unicast RPF to successfully match on prefixes that are known through
the default route to pass these packets.

Aaron

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Vincent Tay
Sent: Tuesday, February 07, 2012 8:00 PM
To: Ccielab_at_groupstudy.com
Subject: ip verify unicast reverse-path

Hi all,

I m wondering how loose mode help in detecting spoof packets.

Can anyone share?

Vincent Tay

Blogs and organic groups at http://www.ccie.net

 
Received on Tue Feb 07 2012 - 21:04:36 ART