From CCIE Study Wiki
Reverse-Path-Forwarding or RPF allows the IOS to examine the source IP of incoming packets on that interface and discard those packets that fail the check.
Theory
Two flavors of this command exist:
- Strict RPF - The router checks to see if the matching route uses an outgoing interface that is the same interface on which the packet was received. If not, the packet is discarded. This is how the Multicast RPF operates as well.
- Loose RPF - The router checks for ANY router that can be used to reach the source IP
This feature is useful for deterring directed broadcast or smurf attacks.
IOS configuration options for this feature include the ability to verify connectivity to the source via ping, choosing whether or not to use the default route when making a RPF check, and limiting the addresses for which the RPF check can be made via an ACL.
Commands
- ip verify unicast source reachable-via [rx|any] [allow-default] [allow-self-ping] [list] (interface) - enables unicast RPF on an interface. The rx keyword enables strict RPF, while the any keyword enables loose RPF.
Default Settings
- This feature will NOT use default routes when performing the check by default.
Verification
Troubleshooting, Tips, and Tricks
Online Resources
Have something to contribute? See a mistake on this page? Have a hint or a link to share?
The CCIE Study Wiki is open to everyone to edit! All you need to do is to create an account to start contributing.
Please be sure to follow our posting guidelines when editing the wiki.
Maybe you have just have some thoughts or suggestions for this entry?
Use the Discussion link on the top or bottom menu to create or join the CCIE forum post on this topic.
You can also go straight to the CCIE Forums and start a new discussion in the forum of your choice.
If you'd rather just contact us with your thoughts, we'd love to hear what you have to say.