The show ip policy and show route-map commands can be used to verify PBR configuration and display
packet statistics for each policy.
Unicast Reverse Path Forwarding (uRPF)
The uRPF feature is a security tool that helps mitigate source IP address spoofing by discarding IP packets that
lack a verifiable IP source address in the IP routing table. Several DoS/DDoS attacks employ forging or rapidly
altering source IP addresses to navigate around threat detection and filtering mechanisms. uRPF technique
thwarts any attempts of DoS attacks by relying on IP spoofing. uRPF should be deployed at the network edge or
the border/gateway device on the network.
There are two flavors of uRPF implementation:
Strict Mode complying with RFC 2827 filters on Network Ingress Edge and Best Current Practices (BCP 38)
Loose Mode for ISP to ISP Edge, for RTBH filtering
How uRPF Works
As illustrated in Figure 7-9, the router examines all arriving packets received on the uRPF-enabled interface and
will only forward packets that pass the uRPF check; that is, the source address appears in the routing table and
matches the interface on which the packet was received. In other words, source IP packets are checked to
ensure that a packet's return path uses the same interface it arrived on.
Pages:
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393