The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The CISCO-IP-URPF-MIB support provides Simple Network Management Protocol (SNMP) notification when a specified drop-rate threshold on a managed device is exceeded. You can use the IP Unicast Reverse Path Forwarding (RPF) feature to avert denial of service (DoS) attacks by verifying the validity of the source IP of an incoming packet. You can configure the Unicast RPF drop-rate threshold globally for a device or per interface.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Before you configure CISCO-IP-URPF-MIB, you must configure the following features:
Unicast RPF is a security feature that verifies the validity of the source IP of an incoming packet. When a packet arrives at an interface and its source IP is unknown in the routing table or is a known bad source address, Unicast RPF drops the packet. IP verification of the source is done to prevent the DoS attacks by detecting problems with the incoming packets on an interface. However, deploying Unicast RPF without some automated monitoring capability is a challenge.
The CISCO-IP-URPF-MIB lets you specify a Unicast RPF drop-rate threshold on interfaces of a managed device that will send an SNMP notification when the threshold is exceeded. The MIB includes objects for specifying global and per-interface drop counts and drop rates and a method to generate SNMP traps when the drop rate exceeds a configurable per-interface threshold.
Although you can configure some parameters globally, you must configure the CISCO-IP-URPF-MIB on individual interfaces.
The elements described in the following sections make Unicast RPF drop-rate notification work:
Whenever Unicast RPF is configured on an interface, the drop-rate calculation is done periodically (at intervals specified by the cipUrpfComputeInterval object). Drop rates are computed over a constantly sliding window, whose period starts at the configured number of seconds before the calculation and ends with the performance of the calculation.
The following global scalars affect how the MIB agent computes all drop rates and generates notifications:
The CISCO-IP-URPF-MIB includes the following global tables:
The following MIB objects enable per-interface configuration:
The following MIB objects track per-interface statistics:
Perform this task to configure the Unicast RPF drop-rate threshold and computation parameters for notification via syslog.
Perform this task to configure the Unicast RPF drop-rate threshold and computation parameters for notification via SNMP.
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
||
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
Example: Router(config)# ip verify drop-rate compute window 60 |
Configures the period of time, in seconds, over which the Unicast RPF drop count used in the drop-rate computation is collected.
|
||
|
Example: Router(config)# ip verify drop-rate compute interval 60 |
Configures the interval of time, in seconds, between Unicast RPF drop-rate computations.
|
||
|
Example: Router(config)# ip verify drop-rate notify hold-down 60 |
Configures the minimum time, in seconds, between Unicast RPF drop-rate notifications.
|
||
|
Example: Router(config)# interface ethernet 3/0 |
Configures an interface and enters interface configuration mode. |
||
|
Example: Router(config-if)# ip verify unicast notification threshold 750 |
Configures the threshold value, in packets per second, which determines whether to send a Unicast RPF drop-rate notification.
|
||
|
Example: Router(config-if)# snmp trap ip verify drop-rate |
Configures the router to send an SNMP notification when the Unicast RPF drop rate exceeds the configured threshold. |
||
|
Example: Router(config-if)# end |
Returns to privileged EXEC mode. |
||
|
Example: Router# show ip interface ethernet 2/3 |
(Optional) Displays the verification drop rate and the number of verification drops when Unicast RPF is configured for an interface. |
||
|
Example: Router# debug ip verify mib |
(Optional) Displays output that is useful for troubleshooting Unicast RPF notification. |
The following example shows how to configure Unicast RPF drop-rate notification via syslog:
Router> enable Router# configure terminal Router(config)# ip verify drop-rate compute window 60 Router(config)# ip verify drop-rate compute interval 60 Router(config)# ip verify drop-rate notify hold-down 60 Router(config)# i nterface ethernet 3/0 Router(config-if)# ip verify unicast notification threshold 750 Router(config-if)# end
The following example shows how to configure Unicast RPF drop-rate notification via SNMP:
Router> enable Router# configure terminal Router(config)# ip verify drop-rate compute window 60 Router(config)# ip verify drop-rate compute interval 60 Router(config)# ip verify drop-rate notify hold-down 60 Router(config)# interface ethernet 3/0 Router(config-if)# ip verify unicast notification threshold 750 Router(config-if)# snmp trap ip verify drop-rate Router(config-if)# end
The following is sample output from the show ip interface command. The output displays the verification drop rate and the number of verification drops when Unicast RPF is configured for an interface. The last five lines in the following example show the output of the show ip interfacecommand when Unicast RPF is configured:
Router# show ip interface ethernet 2/3
Ethernet2/3 is up, line protocol is up
Internet address is 10.10.5.4/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are No CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Input features: uRPF
IP verify source reachable-via RX, allow default
0 verification drops
0 suppressed verification drops
0 verification drop-rate
Router#
The following is sample output from the debug ip verify mib command. The command displays output that is useful for troubleshooting Unicast RPF notification:
Router# debug ip verify mib
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: ipurpfmib_get_scalars
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: ipurpfmib_get_scalars
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: ipurpfmib_get_scalars
01:29:45: cipUrpfScalar_get, searchType 161ipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_
urpf_entry
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Cisco IOS Security Command Reference |
Configuring Unicast RPF |
"Configuring Unicast Reverse Path Forwarding" module in the Cisco IOS Security Configuration Guide: Securing the Data Plane |
Configuring SNMP |
"Configuring SNMP Support" module in the Network Management Configuration Guide |
MIB |
MIBs Link |
---|---|
CISCO-IP-URPF-MIB |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
None |
-- |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for CISCO-IP-URPF-MIB Support |
Feature Name |
Releases |
Feature Information |
---|---|---|
CISCO-IP-URPF-MIB Support |
12.2(31)SB2 12.2(33)SRC 12.4(20)T 12.2(33)SXI2 12.2(50)SY |
The CISCO-IP-URPF-MIB provides SNMP notification when a specified drop-rate threshold on a managed device is exceeded. You can use the IP Unicast RPF feature to avert DoS attacks by verifying the validity of the source IP of an incoming packet. You can configure the Unicast RPF drop-rate threshold globally for a device or per interface. The following commands were introduced or modified: debug ip verify mib, ip verify drop-rate compute interval, ip verify drop-rate compute window, ip verify drop-rate notify hold-down, ip verify unicast notification threshold, show ip interface, snmp trap ip verify drop-rate |