I am summarizing a number of responses on this thread. Unicast Revert Path Forwarding (RPF). ip verify unicast reverse-path This command drops traffic from an interface if that interface is not the route back to the address. This in effect drops spoofed address. It requires that Cisco Express Forwarding (CEF or dCEF) be turned on. It may drop legitimate traffic on a non-stub network with asymmetric traffic. So its not much use in core routers. The command be be used when configuring an interface, not globally. Cisco Express Forwarding (CEF) is advanced Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions. Although you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3 IP backbone switching. Cisco claims Unicast RPF is not supported in IOS 11.2 or 11.3. Unicast RPF is included in IOS 12.0 on all platforms that support CEF. CEF supported platforms include in Cisco 7000 series routers equipped with RSP7000, 7200 series, 7500 series, 12000 series, and AS5800. http://www.cisco.com/warp/public/707/newsflash.html http://www-search.cisco.com/univercd/cc/td/doc/product/software/ios112/ios112p/gsr/cef.htm Comments from others: Darren Reed <avalonat_private> The command in valid on Cisco 1720s with IOS 12.0(3)T3 when configuring in interface mode (fast ethernet) but not globally (no CEF). Have not tested to verify it works. I'm told that it is available on "2600, 3600, 7200 and RSP images." and that the web page needs some fleshing out. Wait and see I guess. Hugh LaMaster <lamasterat_private> : Well, it was/is in 11.1(17)CC and later CC images, which goes back about 2 or 2-1/2 years or so, and, it has been in all 12.0(x)S. I'm not sure about all other 12.0 images, since we have used 11.1(x)CC and 12.0(x)S images since I've been here - but, the web pages imply that it is in most/all 12.0 images; the -CC and -S trains are the so-called ISP versions, which transit ISPs use, and, which many campuses and Tier 2-4 providers should probably also use on their borders and aggregation routers. "Simon Clausen" <sclausenat_private>: Confirmed the command is available on a Cisco 7206 under IOS 12.0(5)EX2. Jim Littlefield <littleat_private>: Concludes that "CEF is not an option in IOS (tm) 2500 Software (C2500-I-L), Version 12.0(9).", and thus Unicast RPF does not work. Nick Krassas <dreamerat_private>: States the command is valid "for all 1700 cisco's ios and 2600 series.". "Jon Snyder" <jonat_private>: Says, "On our AS5300 running a 12.0T release the command is supported.". "Bret Piatt" <dknightat_private>: States, "Its available on all the 12.x I looked on 1400, 1600, 2500, 2600, and 3600 series routers". Anyone know of similar functionality on routers from other manufacturers (e.g. Nortel, Bay, Juniper, etc)? -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:50 PDT