Configuring uRPF on Cisco Routers & Firewalls

ByChase Smith Hours Updated on Categories Networking, Network Security

uRPF is a security feature present in Cisco ISR routers running IOS-XR, ASA firewalls, and Secure Firewall Threat Defense (FTD) firewalls. It verifies the source address of packets, reducing malicious traffic and IP spoofing in networks. In this tutorial, you’ll learn how to configure uRPF on Cisco devices.

Understanding uRPF

Standard Routing: Normally, a device checks if the packet’s destination address exists in the routing table.

uRPF’s Role: uRPF ensures packets have a valid source IP that matches the correct incoming interface.

Routing Modes:

  • Strict Mode:
    • Accepts the packet if its source IP address is in the routing table and is reachable via the interface it arrived on.
    • Ideal for symmetric routing environments.
    • There’s a risk of dropping valid traffic if asymmetric routes are present.
  • Loose Mode:
    • Accepts the packet if its source IP address is in the routing table.
    • Best for asymmetric routing, where different interfaces handle incoming and outgoing traffic.
    • Drops packets sourced from an IP with a null0 route.
    • To allow traffic via the default route (without an explicit entry in the routing table), use the “allow-default” keyword.

Configuring uRPF on IOS-XR Router

Let’s step through setting up uRPF on a Cisco IOS-XR router.

Step 1. Loose Mode:

We can configure Loose Mode on an interface by appending the following command with ‘any’.

interface GigabitEthernet0/0
ip verify unicast source reachable-via any

Step 2. Strict Mode:

We can configure Strict Mode on an interface by appending the following command with ‘rx’.

interface GigabitEthernet0/0 
ip verify unicast source reachable-via rx

Step 3. Allowing Default Route:

To allow traffic from subnets that don’t have an explicit static entry in the routing table, we need to allow traffic via the default route. 

interface GigabitEthernet0/0
ip verify unicast source reachable-via any|rx allow-default

Step 4. Using Access Control Lists (ACLs):

Normally packets dinged by uRPF will be silently dropped.  ACLs can define exceptions and log dropped packets to aid in troubleshooting. This is optional but recommended. Here is an example ACL configuration:

access-list 10 remark  URPF 
access-list 10 permit ip 192.168.2.0.0 0.255.255.255 any log EXCEPTION
access-list 10 deny ip any any log URPF
interface GigabitEthernet0/0
ip verify unicast source reachable-via any 10

Step 5. Verification on IOS-XE

To see dropped packets due to uRPF, use ‘show ip traffic’:

show ip traffic
IP statistics:
Rcvd: 3548 total, 3548 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
0 invalid hole
Bcast: 140 received, 0 sent
Mcast: 567 received, 565 sent
Sent: 1345 generated, 492 forwarded
Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 34 unicast RPF, 0 forced drop
0 options denied, 0 source IP address zero

In the output we can see 34 unicast RPF packets were dropped, showing the configuration is working.

To confirm uRPF configuration, run:

show ip int gi0/0 | begin verify
IP verify source reachable-via RX, ACL 10
34 verification drops
3 suppressed verification drops
0 verification drop-rate

From this output we can see the ACL we created is being applied and it has dropped 34 packets.

Configuring uRPF on ASA Firewalls

On ASA devices uRPF is enabled globally for each interface using `nameif`. ASA supports only strict mode. ICMP packets are checked individually, while UDP and TCP use session states.

Step 1. Configuration:

ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE

Step 2. Verification on ASA

Ensure logging is enabled. If uRPF drops a packet, you’ll see:

%ASA-1-105194: Deny ICMP reverse path check from 192.168.9.2 to 192.168.2.2 on interface INSIDE

Confirm the counter increase with:

show asp drop frame rpf-violated

In our output we will see:

Reverse-path verify failed (rpf-violated) 9

And that’s it. Pretty simple. Just a few lines of commands and you can enhance your network’s security by setting up uRPF on Cisco routers and firewalls, ensuring a reliable source of incoming packets.

Recommended Tool: ManageEngine OpManager

  • Multi-vendor Network Monitoring
  • Simple Installation & Setup
  • Intuitive UI
  • Complete Visibility
  • Intelligent Detections
  • Easy Resolutions

Avatar

Network Engineer III

I am a Senior Network Engineer who has spent the last decade elbow deep in enterprise System Administration and Networking in the local government and energy sectors. I can usually be found trying to warm up behind the storage arrays in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *