Network technologies and trends

May 30 2015   8:05AM GMT

How to Configure uRPF in Strict Mode?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
Cisco IOS
Cisco security
IP address
router
Topology

In this post lets configure uRPF in Strict mode, I have created the below topology using Cisco VIRL, a great tool to test many things.

uRPF - Strict Mode Topology

As you can see this topology comprises of three routers, R1 & R2 are directly connected using interfaces G0/1 and configured with an IP address 192.168.1.1/24 and 192.168.1.2/24 respectively.Where as R1 and R3 are directly connected using interface G0/2 at R1 and G0/1 at R3.

uRPF Connectivity details

There are two loopbacks configured in R1 and R2 called loopback 0 with an IP 1.1.1.1/21 and 2.2.2.2/32

In R1 we will configure a static route for R2 as shown below

Static Router in R1

This ensures that R1 has a static route for 2.2.2.2 and can reach it successfully.

Screen Shot 2015-05-30 at 10.47.26 AM

What happens when an intruder sitting in R3 creates a loopback interface and assign the same IP address used in R2 i.e. 2.2.2.2/32 and tries to spoofs the R1 network. Exactly in this scenario uRPF comes into picture.

We need to ensure that CEF is enabled on the router as uRPF relies on CEF, so make sure it’s enabled by default if not then enable it using the following IOS command

IP CEF deiables

IP Cef Configuration

IP CEF summary

Lets configure uRPF in strict mode using the Cisco IOS command

ip verify unicast source reachable-via rx”

uRPF configuration on R1

Remember these two interfaces are directly connected towards Router R2 and R3.

Lets see whether uRPF is enabled on those interfaces using the Cisco IOS Command

show ip interface g 0/1 | include verify

rRPF verifcation on R1

Lets try to ping R1 G0/1 IP address from R2 sourcing loopback 0, we could see R2 can ping R1 G0/1 IP address 192.168.1.1

Ping to R1 from R2 l0

Now imagine there is an intruder trying to Ping R1 G0/2 interface IP 192.168.3.1 from R3 using the loopback 0 with an IP address 2.2.2.2/32, lets see what the router does and lets verify the

Screen Shot 2015-05-30 at 11.01.02 AM

 

The packets will make it to R1 but they will be dropped at R1 G0/2 interface, we can verify this as using an IOS command   “show ip interface (respective interface) | include verifyas shown below

uRPF Verification 

 This example demonstrates that by using uRPF in strict mode one ensure the packets received are verified and action is taken if it doesn’t matches the required criteria.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: