Unicast Reverse Path Forwarding (uRPF)

- [Instructor] Unicast reverse path forwarding, also called unicast RPF or simply uRPF is used to help limit malicious traffic on an enterprise network, specifically this helps to guard against spoofed addresses on the network by verifying the reachability of the source address attached to the packets that are being forwarded. If a source addressed attached to a packet is not reachable, then that packet will be discarded. Unicast RPF operates in one of three modes, strict mode, loose mode, or VRF mode. It's also important to note that some modes may not be supported by specific Cisco devices, so you'll want to check your device documentation in order to make that determination. In uRPF strict mode, the router verifies that the source of the IP packet arrives on the same interface that the router would use to reach that source address. When you're troubleshooting uRPF strict mode, you want to be aware of any asymmetric routing paths. In other words, paths where the flow of packets in one direction passes through a different interface, then that will be used for return traffic paths. This is what we call asymmetric routing, and it's very common with protocols such as BGP. However, with uRPF strict mode, this can cause legitimate packets to be dropped, so that's something to keep in mind. In uRPF loose mode, the source of the IP packet must simply appear in the routing table. So loose mode looks for any interface in the routing table other than the default route. That can be used to reach the source IP address listed in the packet. If there is an entry in the table and it is not the default route, the packet is considered to be valid, and it will be forwarded. Otherwise, the packet gets discarded. And finally, there's VRF mode. VRF stands for virtual routing and forwarding, and this is a technology that allows you to have more than one routing table on a single router. This is fairly common in ISP networks for things like MPLS and BGP. And this is simply a path isolation method. This is very similar to the concept of VLANs that we see on switches. VRFs allow us to perform separation between routing instances. VRF mode is the same as loose mode, except that it only examines interfaces that are within the same VRF as the interface on which the packet was received. Let's go out to a live interface and see a few ways that we can troubleshoot this. Unicast RPF is configured on a per-interface basis, so if I'm connected to my router here, let me go under Global Configuration Mode, and if I go under interface gig 0/1 and to enable unicast RPF, I can say IP verify unicast source reachable hyphened via, and so that's a fairly self-explanatory command. That does exactly what we've already described. This is going to verify the IP source as being reachable. If we look at context-sensitive help here, you see that we have a couple of options. We have RX and any. So RX is going to be for strict mode, and any will be for loose mode. This is a place when you're configuring or when you're looking back over your running configuration that you want to examine very closely. If you've chosen the wrong mode, you may end up dropping legitimate packets because of the asymmetric routing issue that we described earlier. So for troubleshooting, the first thing you're going to want to make sure is that you have the mode set correctly. In this example, I'm going to just use the any keyword, in this case, and set that to loose mode, and now let's look at a few more contextual help options that we have. So in the real world, as you enable this on your enterprise network, I'll also mention that you'll likely use a combination of these modes. You might use loose mode where asymmetric routing might take place, and you might use strict mode where you know for sure that you have symmetric routing. So for example if we have somewhere a router's connecting maybe directly to a server and you know there's only a single symmetric route for this, that's an okay place to use strict mode. But if you have an up-link interface, that would be a very bad idea to use strict mode in that case, so you would only use loose mode. So just another note there of troubleshooting. Other options that we can see. We can see the allow hyphen default option listed in our contextual health output. Remember we mentioned that by default behavior with both strict and loose mode, the source IP address is checked against the routing table to see if there's an interface that can be used to reach that address. And that's true for everything except the default route. So by default, a return path associated with the default route is going to be discarded. So this is an option that we can put in that would allow us to override this behavior. So that's a good idea to do oftentimes. The next option is the allow hyphen self hyphen ping option. By default, the router is not able to ping its own interface with URPF. So if you need to self-ping, you can use this option to allow that. However, do know that this is a security concern that could allow for denial-of-service attacks, so it's not recommended that you use that. And finally, we have the list options that we see here. We have the ability to attach an ACL to identify exactly which packets are subject to a unicast RPF lookup. So if you're troubleshooting and you find that you have a list attached to a uRPF-enabled interface, that you'll want to examine that ACL and make sure everything is correct. In my case, I'm not going to choose any additional options, I'm just going to hit Enter and of course, I want to show you a couple of verification commands that we can use. First is the very general show IP traffic, and if we take a look at that, the very first section under IP Statistics, that's going to show any place that we have any drops. So if we have packets dropped, in my case, I will have any traffic coming through here in my lab environment, so that is zero. But if we did have packet drops happening, that will be a place where we will be able to see that, we will be able to see that happening, if we break out of that Show Traffic command. One other thing we could do, we can say show run interface gig 0/1, and here you can see the command that we put in place previously, IP verify unicast source reachable via any, so that's good. One more very helpful command. We can say show cef, followed by the interface, which is interface gig 0/1. This is going to allow us to verify that uRPF is enabled on a particular interface. You can see right here, it says very specifically IP unicast RPF check is enabled. Right below that, input features, uRPF. So that's exactly what we would want to see. So having said that, you'll also notice that it tells us IP version 6 CEF switching is enabled. So you do want to make sure that IP CEF is enabled globally, and that's true by default on the newer builds. If we actually take a look here at my shown run, I'll say show run pipe two, begin with IP version 6, see if that gets us close. Yes, there we go. So you can see we have IP version 6 unicast routing enabled, and IP version 6 CEF is also enabled. So again, if you don't see that, if you see no IP version 6 CEF, you'll know that you need to globally enable CEF on the router.