Filter
Top Products
32-9
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 32 Configuring Unicast Reverse Path Forwarding
Unicast RPF Configuration Tasks
–
Ingress filtering applies filters to traffic received at a network interface from either internal or
external networks. With ingress filtering, packets that arrive from other networks or the Internet
and that have a source address that matches a local network, private, or broadcast address are
dropped. In ISP environments, for example, ingress filtering can apply to traffic received at the
switch from either the client (customer) or the Internet.
–
Egress filtering applies filters to traffic exiting a network interface (the sending interface). By
filtering packets on switches that connect your network to the Internet or to other networks, you
can permit only packets with valid source IP addresses to leave your network.
For more information on network filtering, refer to RFC 2267 and to the Cisco IOS IP Configuration
Guide.
Prerequisites to Configuring Unicast RPF
Prior to configuring Unicast RPF, configure ACLs:
• Configure standard or extended ACLs to mitigate transmission of invalid IP addresses (perform
egress filtering). Permit only valid source addresses to leave your network and get onto the Internet.
Prevent all other source addresses from leaving your network for the Internet.
• Configure standard or extended ACLs entries to drop (deny) packets that have invalid source IP
addresses (perform ingress filtering). Invalid source IP addresses include the following types:
–
Reserved addresses
–
Loopback addresses
–
Private addresses (RFC 1918, Address Allocation for Private Internets)
–
Broadcast addresses (including multicast addresses)
–
Source addresses that fall outside the range of valid addresses associated with the protected
network
Unicast RPF Configuration Tasks
The following sections describe the configuration tasks for Unicast RPF. Each task in the list is identified
as either optional or required.
• Configuring Unicast RPF, page 32-9 (Required)
• Verifying Unicast RPF, page 32-10 (Optional)
See the section “Unicast RPF Configuration Example: Inbound and Outbound Filters” at the end of this
chapter.
Configuring Unicast RPF
Unicast RPF is an input-side function that is enabled on an interface operates on IP packets received by
the switch.