Cisco Cisco IOS Software Release 12.0(13)S7
Unicast Reverse Path Forwarding in Strict Mode on the Cisco 12000 Series Internet Router
Configuring Unicast RPF in Strict Mode on the Cisco 12000 Router
9
Unicast Reverse Path Forwarding in Strict Mode on the Cisco 12000 Series Internet Router
OL-15426-01
–
Multilink interfaces (for Multilink Frame Relay and Multilink PPP, see
•
Optional self-ping and allow-default functions are supported:
–
The self-ping option allows the Cisco 12000 series Internet router to ping its own interfaces and
enable source IP-based black hole filtering to mitigate a DoS attack.
enable source IP-based black hole filtering to mitigate a DoS attack.
–
The allow-default flag sets the lookup operation to match the default route in the CEF routing
table and use it to verify incoming IPv4 packets.
table and use it to verify incoming IPv4 packets.
•
All Layer 2 encapsulation and transport types are supported, including ATM AAL5, ATM cell relay,
Ethernet (VLAN and port modes), Frame Relay, HDLC, and PPP over MPLS; for more information,
refer to
Ethernet (VLAN and port modes), Frame Relay, HDLC, and PPP over MPLS; for more information,
refer to
•
The Unicast RPF in Strict Mode feature supports up to eight interfaces on which per-packet load
balancing is configured on the same line card. If you configure load balancing for a specified IP
prefix on more than eight interfaces, Unicast RPF is performed in loose checking mode.
balancing is configured on the same line card. If you configure load balancing for a specified IP
prefix on more than eight interfaces, Unicast RPF is performed in loose checking mode.
•
IP prefix accounting and the Unicast RPF in Strict Mode feature are not supported together on the
same line card.
same line card.
•
Multicast traffic is not supported. (Multicast traffic has its own Reverse Path Forwarding check).
•
The CISCO-IP-URPF-MIB supports the display global and per-interface statistics for packets
dropped by Unicast RPF.
dropped by Unicast RPF.
Note
The interface and subinterface dropped packet counters are not totally accurate. One out of
sixty-seven IPv4 packets are punted to the CPU.
sixty-seven IPv4 packets are punted to the CPU.
•
Unicast RPF is not supported on an interface configured for generic route encapsulation (GRE)
tunneling or Layer 2 tunneling, such as L2TPv3.
tunneling or Layer 2 tunneling, such as L2TPv3.
•
Virtual Private Network routing and forwarding (VRF) tables are not supported in the path lookup.
•
Unicast RPF does not support the access-list option as other platforms, which allows you to
configure an ACL as an additional filter to verify incoming IPv4 packets.
configure an ACL as an additional filter to verify incoming IPv4 packets.
Although the Unicast RPF in Strict Mode feature filters only IPv4 packets in IP or MPLS traffic, you
can configure IOS software features that manage other traffic on the same interface, such as
IP forwarding, MPLS features, Frame Relay switching, ATM switching, and Any Transport over ATM
(AToM) connections. However, Unicast RPF filtering is only applied to incoming traffic on IP routing
interfaces and not on packets processed by Frame Relay or ATM switching or transmitted over AToM
pseudowire commendations.
can configure IOS software features that manage other traffic on the same interface, such as
IP forwarding, MPLS features, Frame Relay switching, ATM switching, and Any Transport over ATM
(AToM) connections. However, Unicast RPF filtering is only applied to incoming traffic on IP routing
interfaces and not on packets processed by Frame Relay or ATM switching or transmitted over AToM
pseudowire commendations.
Configuring Unicast RPF in Strict Mode on the Cisco 12000
Router
Router
This section describes the procedures for configuring and verifying the Unicast RPF in Strict Mode
feature to filter IPv4 packets on the Cisco 12000 series Internet router.
feature to filter IPv4 packets on the Cisco 12000 series Internet router.
•
•