IP Switching Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
ip cache-invalidate-delay through monitor event-trace cef ipv6 global
Downloads: This chapterpdf (PDF - 267.0KB) The complete bookPDF (PDF - 891.0KB) | Feedback

ip cache-invalidate-delay through monitor event-trace cef ipv6 global

ip cache-invalidate-delay through monitor event-trace cef ipv6 global

ipv6 verify unicast source reachable-via

To verify that a source address exists in the FIB table and enable Unicast Reverse Path Forwarding (Unicast RPF), use the ipv6 verify unicast source reachable-via command in interface configuration mode. To disable URPF, use the no form of this command.

ipv6 verify unicast source reachable-via { rx | any } [allow-default] [allow-self-ping] [access-list-name]

no ipv6 verify unicast

Syntax Description

rx

Source is reachable through the interface on which the packet was received.

any

Source is reachable through any interface.

allow-default

(Optional) Allows the lookup table to match the default route and use the route for verification.

allow-self-ping

(Optional) Allows the router to ping a secondary address.

access-list-name

(Optional) Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeral.

Command Default

Unicast RPF is disabled.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(25)S

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

Usage Guidelines

The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in loose checking mode.

Use the ipv6 verify unicast source reachable-viacommand to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through an IPv6 router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IPv6 address spoofing.

The URPF feature checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table. If URPF does not find a reverse path for the packet, U RPF can drop or forward the packet, depending on whether an access control list (ACL) is specified in the ipv6 verify unicast source reachable-via command. If an ACL is specified in the command, then when (and only when) a packet fails the URPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for U RPF drops and in the interface statistics for Unicast RPF.

If no ACL is specified in the ipv6 verify unicast source reachable-via command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.

U RPF events can be logged by specifying the logging option for the ACL entries used by the ipv6 verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on.

Examples

The following example enables Unicast RPF on any interface:

ipv6 verify unicast source reachable-via any

Related Commands

Command

Description

ipv6 access-list

Defines an IPv6 access list and places the router in IPv6 access list configuration mode.

show ipv6 interface

Displays the usability status of interfaces configured for IPv6.