Filter
Top Products
32-5
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 32 Configuring Unicast Reverse Path Forwarding
About Unicast Reverse Path Forwarding
Caution Using optional BGP attributes such as weight and local preference, you can modify the best path back
to the source address. Modification affects the operation of Unicast RPF.
This section provides information about the implementation of Unicast RPF:
• Security Policy and Unicast RPF, page 32-5
• Where to Use Unicast RPF, page 32-5
• Routing Table Requirements, page 32-7
• Where Not to Use Unicast RPF, page 32-7
• Unicast RPF with BOOTP and DHCP, page 32-8
Security Policy and Unicast RPF
Consider the following points in determining your policy for deploying Unicast RPF:
• Unicast RPF must be applied at the interface downstream from the larger portion of the network,
preferably at the edges of your network.
• The farther downstream you apply Unicast RPF, the finer the granularity you have in mitigating
address spoofing and in identifying the sources of spoofed addresses. For example, applying Unicast
RPF on an aggregation switch helps mitigate attacks from many downstream networks or clients and
is simple to administer, but it does not help identify the source of the attack. Applying Unicast RPF
at the network access server helps limit the scope of the attack and trace the source of the attack;
however, deploying Unicast RPF across many sites does add to the administration cost of operating
the network.
• The more entities that deploy Unicast RPF across Internet, intranet, and extranet resources, the
better the chances of mitigating large-scale network disruptions throughout the Internet community,
and the better the chances of tracing the source of an attack.
• Unicast RPF will not inspect IP packets encapsulated in tunnels, such as GRE, LT2P, or PPTP.
Unicast RPF must be configured at a home gateway so that Unicast RPF processes network traffic
only after the tunneling and encryption layers have been stripped off the packets.
Where to Use Unicast RPF
Unicast RPF can be used in any single-homed environment where there is essentially only one access
point out of the network; that is, one upstream connection. Networks having one access point offer the
best example of symmetric routing, which means that the interface where a packet enters the network is
also the best return path to the source of the IP packet. Unicast RPF is best used at the network perimeter
for Internet, intranet, or extranet environments, or in ISP environments for customer network
terminations.
Enterprise Networks with a Single Connection to an ISP
In enterprise networks, one objective of using Unicast RPF for filtering traffic at the input interface (a
process called ingress filtering) is for protection from malformed packets arriving from the Internet.
Traditionally, local networks with one connection to the Internet use ACLs at the receiving interface to
prevent spoofed packets from the Internet from entering their local network.