Table of Contents
Advertisement
Configuring Unicast RPF
dropped packets provide information about potential attacks on the network, but they do not specify which
interface is the source of the attack. Per-interface statistics on packets dropped due to a failed unicast RPF
check are not available.
Licensing Requirements for Unicast RPF
Product
Cisco NX-OS
Guidelines and Limitations for Unicast RPF
Unicast RPF (uRPF) has the following configuration guidelines and limitations:
• You must apply uRPF at the interface downstream from the larger portion of the network, preferably at
• The further downstream that you apply uRPF, the finer the granularity you have in mitigating address
• The more entities that deploy uRPF across Internet, intranet, and extranet resources, means that the better
• uRPF will not inspect IP packets that are encapsulated in tunnels, such as generic routing encapsulation
• You can use uRPF in any "single-homed" environment where there is only one access point out of the
• Do not use uRPF on interfaces that are internal to the network. Internal interfaces are likely to have
• uRPF allows packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that the Bootstrap
• When uRPF is enabled, loose mode is applied for both IPv4 and IPv6. However, strict mode can be
the edges of your network.
spoofing and in identifying the sources of spoofed addresses. For example, applying uRPF on an
aggregation device helps to mitigate attacks from many downstream networks or clients and is simple
to administer, but it does not help identify the source of the attack. Applying uRPF at the network access
server helps limit the scope of the attack and trace the source of the attack; however, deploying uRPF
across many sites does add to the administration cost of operating the network.
the chances are of mitigating large-scale network disruptions throughout the Internet community, and
the better the chances are of tracing the source of an attack.
(GRE) tunnels. You must configure uRPF at a home gateway so that uRPF processes network traffic
only after the tunneling and encryption layers have been stripped off the packets.
network or one upstream connection. Networks that have one access point provide symmetric routing,
which means that the interface where a packet enters the network is also the best return path to the source
of the IP packet.
routing asymmetry, which means that multiple routes to the source of a packet exist. You should configure
uRPF only where there is natural or configured symmetry. Do not configure strict uRPF.
Protocol (BOOTP) and the Dynamic Host Configuration Protocol (DHCP) can operate correctly.
applied per protocol.
License Requirement
Unicast RPF requires no license. Any feature not
included in a license package is bundled with the
Cisco NX-OS system images and is provided at no
extra charge to you. For an explanation of the Cisco
NX-OS licensing scheme, see the Cisco NX-OS
Licensing Guide.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
Licensing Requirements for Unicast RPF
103
Hide quick links:
Advertisement
Table of Contents
