--> URPF stands for Unicast Reverse Path Forwarding
--> URPF is used to limit malicious traffic entering into the network.
--> Once we enable URPF in the network, the router is going to verify the source IP address of the packet.
--> If the source IP address is reachable then no problem, otherwise the packet is dropped.
--> URPF is basically used to prevent IP Address Spoofing.
--> IP spoofing allows an attacker to pass malicious traffic to a particular destination as legitimate traffic.
--> A unicast reverse-path-forwarding (URPF) method reduces forwarding of packets from spoofed IP Address.
URPF MODES
i) STRICT MODE
--> Router checks two things in its routing table in strict mode of URPF.
--> Once the router receives incoming packets on an interface, it checks following things in the routing table of the router.
1) Source Network is present or not in the routing table.
2) The router can reach the source network from the same interface, the traffic is coming to the router.
--> If the received traffic on the router passes both checks, it will be permitted. Otherwise, it will be dropped.
--> In this scenario, the router is receiving the traffic on both the interfaces with source ip address 192.168.1.2/24.
--> But the source network is connected to interface fa0/0 of the router, not on the s0/0.
--> If the URPF strict mode is enabled on the router, the traffic received on the s0/0 will be dropped as it fails URPF check.
ii) LOOSE Mode
--> Router checks only one thing in its routing table in the loose mode of URPF.
--> Once the router receives incoming packets on an interface, it checks only one thing in the routing table of the router.
1) Source Network is present or not in the routing table.
URPF Considerations
--> CEF needs to be enabled in order for URPF to work.
--> URPF enabled per-interface basis.
WHICH URPF MODE to USE?
--> According to Cisco, it is recommended to use a combination of strict mode and loose mode Unicast RPF.
--> URPF Mode on the Router depends upon the interface is connected to an internal network or outside the network.
--> URPF Strict Mode is recommended on an Internal network of the router and Loose mode on the outside network where the default route is configured.
URPF Configuration
1) Loose Mode Configuration
Router(config)# int fa0/0
Router(config-if)# ip verify unicast source reachable-via any
2) Strict Mode Configuration
Router(config)# int fa0/0
Router(config-if)# ip verify unicast source reachable-via rx
--> If you want particular traffic that does not need to be checked via URPF.
--> You can do this by using Access Control List on the Router.
--> For example, if you dont want to perform URPF check for 192.168.1.0/24 network on the router,
1) Create ACL
Router(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 any
Router(config)# access-list 100 permit ip any any
2) Apply the ACL on URPF
Router(config)# int fa0/0
Router(config-if)# ip verify unicast source reachable-via rx 100
Ref: Cisco.com
Md.Kareemoddin
CCIE # 54759
--> URPF is used to limit malicious traffic entering into the network.
--> Once we enable URPF in the network, the router is going to verify the source IP address of the packet.
--> If the source IP address is reachable then no problem, otherwise the packet is dropped.
--> URPF is basically used to prevent IP Address Spoofing.
--> IP spoofing allows an attacker to pass malicious traffic to a particular destination as legitimate traffic.
--> A unicast reverse-path-forwarding (URPF) method reduces forwarding of packets from spoofed IP Address.
URPF MODES
i) STRICT MODE
--> Router checks two things in its routing table in strict mode of URPF.
--> Once the router receives incoming packets on an interface, it checks following things in the routing table of the router.
1) Source Network is present or not in the routing table.
2) The router can reach the source network from the same interface, the traffic is coming to the router.
--> If the received traffic on the router passes both checks, it will be permitted. Otherwise, it will be dropped.
--> In this scenario, the router is receiving the traffic on both the interfaces with source ip address 192.168.1.2/24.
--> But the source network is connected to interface fa0/0 of the router, not on the s0/0.
--> If the URPF strict mode is enabled on the router, the traffic received on the s0/0 will be dropped as it fails URPF check.
ii) LOOSE Mode
--> Router checks only one thing in its routing table in the loose mode of URPF.
--> Once the router receives incoming packets on an interface, it checks only one thing in the routing table of the router.
1) Source Network is present or not in the routing table.
--> In this scenario, the router is receiving the traffic on both the interfaces with source IP address 192.168.1.2/24.
--> If the URPF strict mode is enabled on the router, the traffic received on both the interface is allowed as the router checks only one thing.
--> In Loose Mode, the router does not check to reach the source network from the same interface.
URPF Considerations
--> CEF needs to be enabled in order for URPF to work.
--> URPF enabled per-interface basis.
WHICH URPF MODE to USE?
--> According to Cisco, it is recommended to use a combination of strict mode and loose mode Unicast RPF.
--> URPF Mode on the Router depends upon the interface is connected to an internal network or outside the network.
--> URPF Strict Mode is recommended on an Internal network of the router and Loose mode on the outside network where the default route is configured.
URPF Configuration
1) Loose Mode Configuration
Router(config)# int fa0/0
Router(config-if)# ip verify unicast source reachable-via any
2) Strict Mode Configuration
Router(config)# int fa0/0
Router(config-if)# ip verify unicast source reachable-via rx
--> If you want particular traffic that does not need to be checked via URPF.
--> You can do this by using Access Control List on the Router.
--> For example, if you dont want to perform URPF check for 192.168.1.0/24 network on the router,
1) Create ACL
Router(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 any
Router(config)# access-list 100 permit ip any any
2) Apply the ACL on URPF
Router(config)# int fa0/0
Router(config-if)# ip verify unicast source reachable-via rx 100
Ref: Cisco.com
Md.Kareemoddin
CCIE # 54759
0 comments:
Post a Comment