CCIE RS Blueprint--uRPF(Unicast Reverse Path Forwarding)
(1) Overview of uRPF
The uRPF function is to give the router the ability to prevent IP spoofing or IP forgery. The IP forgery that uRPF considers means that an IP packet should not come in from an interface but come in from an interface. Then such a packet is considered to have IP spoofing properties. The default is Discarded.
(2) uRPF detection
When the router receives a packet from an interface that has uRPF enabled, it will detect the source IP address of the packet and compare it with the routing entry in the routing table. After the judgment, if the source IP address is exported, it is indeed This is the interface that opened the uRPF, the packet is forwarded, otherwise it is discarded.Since uRPF is turned on, all packets entering from this interface will be detected and the speed will be slower.
The uRPF can be enabled only after the CEF must be enabled. uRPF can only be turned on in the in direction. When checking, all the optimal paths to the source IP are considered feasible.
Under normal circumstances, if a packet cannot pass the uRPF check, the packet is discarded by default, but sometimes for some special reason, some packets that fail to pass the check can be passed. To do this, You can enable uRPF in addition to add ACL, which checks for failed packets, whether to discard or release, all by ACL, ACL allowed, release, ACL refuse, discard.
(3) Strict Mode strict mode
Router (config-if)# ip verify unicast source reachable-via rx
Router (config-if)# ip verify unicast reverse-path
Loose Mode Loose Mode
Router (config-if)# ip verify unicast source reachable-via any Enable the loose mode of uRPF on the interface.
(4) uRPF configuration
Router(config-if)#ip verify unicast reverse-path
Enable uRPF on the interface to detect all packets entering the interface by default.
Router(config)#access-list 100 permit ip host 3.3.3.3 any
Router(config-if)#ip verify unicast reverse-path 100
If you want to pass ccie sp exam, you will need to prepare the ccie sp 400-021 dumps that would help you pass successfully. All come from the evedumps.com cisco dumps.
The uRPF function is to give the router the ability to prevent IP spoofing or IP forgery. The IP forgery that uRPF considers means that an IP packet should not come in from an interface but come in from an interface. Then such a packet is considered to have IP spoofing properties. The default is Discarded.
(2) uRPF detection
When the router receives a packet from an interface that has uRPF enabled, it will detect the source IP address of the packet and compare it with the routing entry in the routing table. After the judgment, if the source IP address is exported, it is indeed This is the interface that opened the uRPF, the packet is forwarded, otherwise it is discarded.Since uRPF is turned on, all packets entering from this interface will be detected and the speed will be slower.
The uRPF can be enabled only after the CEF must be enabled. uRPF can only be turned on in the in direction. When checking, all the optimal paths to the source IP are considered feasible.
Under normal circumstances, if a packet cannot pass the uRPF check, the packet is discarded by default, but sometimes for some special reason, some packets that fail to pass the check can be passed. To do this, You can enable uRPF in addition to add ACL, which checks for failed packets, whether to discard or release, all by ACL, ACL allowed, release, ACL refuse, discard.
(3) Strict Mode strict mode
Router (config-if)# ip verify unicast source reachable-via rx
Router (config-if)# ip verify unicast reverse-path
Loose Mode Loose Mode
Router (config-if)# ip verify unicast source reachable-via any Enable the loose mode of uRPF on the interface.
(4) uRPF configuration
Router(config-if)#ip verify unicast reverse-path
Enable uRPF on the interface to detect all packets entering the interface by default.
Router(config)#access-list 100 permit ip host 3.3.3.3 any
Router(config-if)#ip verify unicast reverse-path 100
If you want to pass ccie sp exam, you will need to prepare the ccie sp 400-021 dumps that would help you pass successfully. All come from the evedumps.com cisco dumps.
评论
发表评论