Cisco's New ip verify unicast source reachable-via

Posted on in Networking

Regret (photo by xymonau) [id: 523790]Oops! I guess I'm way behind the times.

For quite a while, I've been using ip verify unicast reverse-path to prevent packets with spoofed source addresses from crossing my routers. Apparently, as of IOS 12.0 (12.4 is current as of this writing), that command has been replaced with ip verify unicast source reachable-via.

The good news is that this "new" command has many more options to make it work just right in your environment. The most important choice you must make is between rx (strict mode) or any (loose mode).

Unicast RPF Strict Mode

The rx option (as in ip verify unicast source reachable-via rx) will only allow a packet through if the source address is on a network that is reachable via the received interface. This is very similar to how the old ip verify unicast reverse-path worked. The one caveat is that it will accept any packet that is received on any interface with equal cost routes. In other words, it's OK to use this on two T1s as long as those T1s have equal cost routes to the network in question.

Unicast RPF Loose (Exists-Only) Mode

The "new" any option allows any packet through as long as the source address is reachable via any interface on the router. The main usage here is for someone like a service provider that wants to block any incoming packet that does not have a route on the Internet (presumably via BGP). Since many network attacks are based on these spoofed source addresses, this is a big plus. It seems to me that this could eliminate some of the need for bogon-based access-lists.

Check out the Cisco 12.4 documentation on ip verify unicast source reachable-via for more details.

My Bookshelf

Reading Now

Other Stuff