Unicast Reverse Path Forwarding (uRPF) is a feature that allows the router to block unknown source IP address or spoofed IP address on an incoming interface. uRPF uses Cisco Express Forwarding (CEF) FIB to perform its function which means only CEF capable devices are supported.
uRPF has two modes:
- Strict mode – uRPF only check source ip address of packets on configured interface.
- Loose mode – uRPF check source ip address of packets on any interface. This mode is preferred for networks that has multiple up-links or interface.
Strict mode configuration
R1(config-if)# ip verify unicast source reachable-via rx [access-list]
The RX parameter determines the strict mode in the command
Loose mode configuration
R1(config-if)# ip verify unicast source reachable-via any [access-list]
The Any parameter determines the loose mode in the command
uRPF verification
You can verify the blocking of spoofed ip address by using the following command:
show ip interface [interface #] | section IP verify
The verification drops shows the number of drop spoofed source packets on the interface as seen in the image below.
R2 spoofed IP address 1.2.2.2 is trying to reach destination ip address 3.3.3.3 but it is blocked by R1 using uRPF. You can see R1 show command displays 5 verification drops.
You can also create an access-list to log any deny packets and assigned it to the uRPF using the following command:
! Create Extended Access-list
R1(config)# access-list 100 deny ip any any log
! Under the interface assigned access-list to the uRPF
R1(config-if)# ip verify unicast source reachable-via rx 100
for the same example of R1, the uRPF packet drop will be shown by the access list 100 log as seen below:
I hope this article helps to understand the use uRPF.
IT Wiz Technology Blog 