CISCO-IP-URPF-MIB Support [Cisco IOS and NX-OS Software]

Table Of Contents

CISCO-IP-URPF-MIB Support

Finding Feature Information

Contents

Prerequisites for CISCO-IP-URPF-MIB Support

Restrictions for CISCO-IP-URPF-MIB Support

Information About CISCO-IP-URPF-MIB Support

Implementation of Unicast RPF Notification

Elements of Unicast RPF Notification

Global Scalars

Global Tables

Per-Interface Statistics

Per-Interface Configuration

Drop-Rate Computation

How to Configure Unicast RPF Drop-Rate Notification

Configuring Unicast RPF Drop-Rate Notification via Syslog

Configuring Unicast RPF Drop-Rate Notification via SNMP

Verifying the Unicast RPF Configuration

Examples

Configuration Examples for CISCO-IP-URPF-MIB Support

Configuring Unicast RPF Drop-Rate Notification via Syslog: Example

Configuring Unicast RPF Drop-Rate Notification via SNMP: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for CISCO-IP-URPF-MIB Support

CISCO-IP-URPF-MIB Support

First Published: December 4, 2006

Last Updated: July 2, 2009

The CISCO-IP-URPF-MIB provides Simple Network Management Protocol (SNMP) notification when a specified drop-rate threshold on a managed device is exceeded. You use the IP Unicast Reverse Path Forwarding (RPF) feature to avert denial of service (DoS) attacks by verifying the validity of the source IP of an incoming packet. You can configure the Unicast RPF drop-rate threshold globally for a device or per interface.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for CISCO-IP-URPF-MIB Support" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for CISCO-IP-URPF-MIB Support

•Restrictions for CISCO-IP-URPF-MIB Support

•Information About CISCO-IP-URPF-MIB Support

•How to Configure Unicast RPF Drop-Rate Notification

•Configuration Examples for CISCO-IP-URPF-MIB Support

•Additional References

•Feature Information for CISCO-IP-URPF-MIB Support

Prerequisites for CISCO-IP-URPF-MIB Support

Cisco IOS support for the CISCO-IP-URPF-MIB requires that the following features are configured on the device:

•Unicast RPF

•Cisco Express Forwarding (CEF) switching

•IP Routing

•SNMP

Restrictions for CISCO-IP-URPF-MIB Support

•Because Cisco IOS does not support Virtual Private Network (VPN) routing and forwarding- (VRF)- specific Unicast RPF counters, it does not support the following MIB objects related to VRF:

–cipUrpfIfVrfName

–cipUrpfVrfName

–cipUrpfVrfIfDrops

–cipUrpfVrfIfDiscontinuityTime

•This implementation of the CISCO-IP-URPF MIB supports only IPv4.

Information About CISCO-IP-URPF-MIB Support

To configure a notification threshold for Unicast RPF dropped packets, you should understand the following concepts:

•Implementation of Unicast RPF Notification

•Elements of Unicast RPF Notification

Implementation of Unicast RPF Notification

Unicast RPF is a security feature that verifies the validity of the source IP of an incoming packet. When a packet arrives at an interface and its source IP is unknown in the routing table or is a known bad source address, Unicast RPF drops the packet. Source IP verification is done to prevent denial of service (DoS) attacks by detecting problems with the incoming packets on an interface. However, Unicast RPF is challenging to deploy without some automated monitoring capability.

The CISCO-IP-URPF-MIB lets you specify a Unicast RPF drop-rate threshold on interfaces of a managed device, which sends an SNMP notification when the threshold is exceeded. The MIB includes objects for specifying global and per-interface drop counts and drop rates as well as a way to generate SNMP traps when the drop rate exceeds a configurable per-interface threshold.

Although you can configure some parameters globally, you must configure this feature on individual interfaces.

Elements of Unicast RPF Notification

The following elements make Unicast RPF drop-rate notification work:

•Global Scalars

•Global Tables

•Per-Interface Statistics

•Per-Interface Configuration

•Drop-Rate Computation

Global Scalars

The following global scalars affect how the MIB agent computes all drop rates and generates notifications:

•cipUrpfDropRateWindow—This object specifies the window of time in the recent past over which the computation occurs. If there was no window (that is, the window is the epoch since booting up), an identical drop count burst at a later time would produce a smaller drop rate than one occurring earlier.

•cipUrpfComputeInterval—This object specifies how often the drop-rate computation occurs.

•cipUrpfDropNotifyHoldDownTime—This object specifies the minimum time between notifications for a particular packet flow on an interface.

Global Tables

The CISCO-IP-URPF-MIB includes the following global tables:

•cipUrpfTable—This table contains global drop count and drop-rate objects per packet flow. These global rates are useful for determining quickly whether the managed device has Unicast RPF activity at a specific time.

•cipUrpfVrfTable—This table lets you index drop counters by VRF (if a VRF routing table is used to determine Unicast RPF checking). The table provides a way to index all the Unicast RPF-enabled interfaces by VRF.

Per-Interface Statistics

The following MIB objects track per-interface statistics:

•cipUrpfIfMonTable—This table contains the statistics for a particular packet flow on an interface.

•cipUrpfIfDrops—This object accumulates Unicast RPF drops on an interface. Snapshots of this value are used in the drop-rate computation. The computed drop rate is specified in the cipUrpfIfDropRate object. If Unicast RPF is configured on a subinterface, drop rates are computed.

Per-Interface Configuration

The following MIB objects enable per-interface configuration:

•cipUrpfIfDropRateNotifyEnable—This object specifies whether the system produces the cipUrpfIfDropRateNotify notification because Unicast RPF has dropped version cipUrpfIfIpVersion IP packets on the specified interface.

•cipUrpfIfNotifyDropRateThreshold—This object specifies the drop-rate threshold value above which a notification is generated.

Drop-Rate Computation

Whenever Unicast RPF is configured on an interface, the drop-rate calculation is done periodically (at intervals specified by the cipUrpfComputeInterval object). Drop rates are computed over a constantly-sliding window, which covers the period starting at the configured number of seconds before the calculation and ending with the performance of the calculation.

How to Configure Unicast RPF Drop-Rate Notification

This section contains the following procedures:

•Configuring Unicast RPF Drop-Rate Notification via Syslog

•Configuring Unicast RPF Drop-Rate Notification via SNMP

•Verifying the Unicast RPF Configuration

Configuring Unicast RPF Drop-Rate Notification via Syslog

To configure the Unicast RPF drop-rate threshold and computation parameters for notification via syslog, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip verify drop-rate compute window seconds

4. ip verify drop-rate compute interval seconds

5. ip verify drop-rate notify hold-down seconds

6. interface type number

7. ip verify unicast notification threshold rate-val

8. end

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal
Example:

Router# configure terminal

Enters global configuration mode.

Step 3

ip verify drop-rate compute window seconds
Example:

Router(config)# ip verify drop-rate compute window 60

Configures the period of time, in seconds, over which the Unicast RPF drop count used in the drop-rate computation is collected.

The range is from 30 to 300. The default is 300.

Note The value for the compute window must be greater than or equal to that entered using the ip verify drop-rate compute interval command.

Step 4

ip verify drop-rate compute interval seconds
Example:

Router(config)# ip verify drop-rate compute interval 60

Configures the interval of time, in seconds, between Unicast RPF drop-rate computations.

The range is from 30 to 300. The default is 30.

Note The value for the compute interval must be less than or equal to that entered using the ip verify drop-rate compute window command.

Step 5

ip verify drop-rate notify hold-down seconds
Example:

Router(config)# ip verify drop-rate notify hold-down 60

Configures the minimum time, in seconds, between Unicast RPF drop-rate notifications.

The range is from 30 to 300. The default is 300.

Step 6

interface type number
Example:

Router(config)# interface ethernet 3/0

Enters interface configuration mode.

Step 7

ip verify unicast notification threshold rate-val
Example:

Router(config-if)# ip verify unicast notification threshold 750

Configures the threshold value, in packets per second, which determines whether to send a Unicast RPF drop-rate notification.

The range is from 0 to the maximum number of packets the interface can process in one second. The default is 1000.

Note If you configure the threshold to be 0, every packet drop triggers a notification.

Step 8

end
Example:

Router(config-if)# end

Returns to privileged EXEC mode.

Configuring Unicast RPF Drop-Rate Notification via SNMP

To configure the Unicast RPF drop-rate threshold and computation parameters for notification via SNMP, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip verify drop-rate compute window seconds

4. ip verify drop-rate compute interval seconds

5. ip verify drop-rate notify hold-down seconds

6. interface type number

7. ip verify unicast notification threshold rate-val

8. snmp trap ip verify drop-rate

9. end

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal
Example:

Router# configure terminal

Enters global configuration mode.

Step 3

ip verify drop-rate compute window seconds
Example:

Router(config)# ip verify drop-rate compute window 60

Configures the period of time, in seconds, over which the Unicast RPF drop count used in the drop-rate computation is collected.

The range is from 30 to 300. The default is 300.

Note The value for the compute window must be greater than or equal to that entered using the ip verify drop-rate compute interval command.

Step 4

ip verify drop-rate compute interval seconds
Example:

Router(config)# ip verify drop-rate compute interval 60

Configures the interval of time, in seconds, between Unicast RPF drop-rate computations.

The range is from 30 to 300. The default is 30.

Note The value for the compute interval must be less than or equal to that entered using the ip verify drop-rate compute window command.

Step 5

ip verify drop-rate notify hold-down seconds
Example:

Router(config)# ip verify drop-rate notify hold-down 60

Configures the minimum time, in seconds, between Unicast RPF drop-rate notifications.

The range is from 30 to 300. The default is 300.

Step 6

interface type number
Example:

Router(config)# interface ethernet 3/0

Enters interface configuration mode.

Step 7

ip verify unicast notification threshold rate-val
Example:

Router(config-if)# ip verify unicast notification threshold 750

Configures the threshold value, in packets per second, which determines whether to send a Unicast RPF drop-rate notification.

The range is from 0 to the maximum number of packets the interface can process in one second. The default is 1000.

Note If you configure the threshold to be 0, every packet drop triggers a notification.

Step 8

snmp trap ip verify drop-rate
Example:

Router(config-if)# snmp trap ip verify drop-rate

Configures the router to send an SNMP notification when the Unicast RPF drop rate exceeds the configured threshold.

Step 9

end
Example:

Router(config-if)# end

Returns to privileged EXEC mode.

Verifying the Unicast RPF Configuration

To verify the Unicast RPF configuration and troubleshoot the operation of Unicast RPF drop-rate notifications, perform the steps in this section.

SUMMARY STEPS

1. enable

2. show ip interface type number

3. debug ip verify mib

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

show ip interface type number
Example:

Router# show ip interface ethernet 3/0

Displays the verification drop rate and the number of verification drops when Unicast RPF is configured for the specified interface.

Step 3

debug ip verify mib
Example:

Router# debug ip verify mib

Displays output useful for troubleshooting Unicast RPF notification.

Examples

The last five lines in following example show the output of the show ip interface command when Unicast RPF is configured:
Router# show ip interface ethernet 2/3
Ethernet2/3 is up, line protocol is up
  Internet address is 10.10.5.4/16
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP Flow switching is disabled
  IP CEF switching is disabled
  IP Null turbo vector
  IP Null turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are No CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
  Input features: uRPF
  IP verify source reachable-via RX, allow default
   0 verification drops
   0 suppressed verification drops
   0 verification drop-rate
Router#
The following example shows the output of the debug ip verify mib command:
Router# debug ip verify mib
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: ipurpfmib_get_scalars
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: ipurpfmib_get_scalars
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: cipUrpfScalar_get, searchType 161
01:29:45: ipurpfmib_get_scalars
01:29:45: cipUrpfScalar_get, searchType 
161ipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_ 
urpf_entry
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
01:29:45: cipUrpfIfMonEntry_get, searchType 161
01:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1
Configuration Examples for CISCO-IP-URPF-MIB Support

This section provides the following configuration examples:

•Configuring Unicast RPF Drop-Rate Notification via Syslog: Example

•Configuring Unicast RPF Drop-Rate Notification via SNMP: Example

Configuring Unicast RPF Drop-Rate Notification via Syslog: Example

The following example shows how to configure Unicast RPF drop-rate notification via syslog:
Router> enable
Router# configure terminal
Router(config)# ip verify drop-rate compute window 60
Router(config)# ip verify drop-rate compute interval 60
Router(config)# ip verify drop-rate hold-down 60
Router(config)# interface ethernet 3/0
Router(config-if)# ip verify unicast notification threshold 750
Router(config-if)# end
Configuring Unicast RPF Drop-Rate Notification via SNMP: Example

The following example shows how to configure Unicast RPF drop-rate notification via SNMP:
Router> enable
Router# configure terminal
Router(config)# ip verify drop-rate compute window 60
Router(config)# ip verify drop-rate compute interval 60
Router(config)# ip verify drop-rate hold-down 60
Router(config)# interface ethernet 3/0
Router(config-if)# ip verify unicast notification threshold 750
Router(config-if)# snmp trap ip verify drop-rate
Router(config-if)# end
Additional References

The following sections provide references related to the CISCO-IP-URPF-MIB Support feature.

Related Documents

Related Topic

Document Title

Configuring Unicast RPF

"Configuring Unicast Reverse Path Forwarding" module in the Cisco IOS Security Configuration Guide: Securing the Data Plane

Configuring SNMP

"Configuring SNMP Support" module in the Cisco IOS Network Management Configuration Guide

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

—

MIBs

MIB

MIBs Link

•CISCO-IP-URPF-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for CISCO-IP-URPF-MIB Support

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator lets you determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 1 Feature Information for CISCO-IP-URPF-MIB Support

Feature Name

Releases

Feature Information

CISCO-IP-URPF-MIB Support

12.2(31)SB2
12.2(33)SRC
12.4(20)T
12.2(33)SXI2

The CISCO-IP-URPF-MIB provides SNMP notification when a specified drop-rate threshold on a managed device is exceeded. You use the IP Unicast RPF feature to avert DoS attacks by verifying the validity of the source IP of an incoming packet. You can configure the Unicast RPF drop-rate threshold globally for a device or per interface.

The following commands were introduced or modified: debug ip verify mib, ip verify drop-rate compute interval, ip verify drop-rate compute window, ip verify drop-rate notify hold-down, ip verify unicast notification threshold, show ip interface, snmp trap ip verify drop-rate

CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2006-2009 Cisco Systems, Inc. All rights reserved.

Hierarchical Navigation

Cisco IOS and NX-OS Software

CISCO-IP-URPF-MIB Support

Downloads

Table Of Contents

CISCO-IP-URPF-MIB Support

Finding Feature Information

Contents

Prerequisites for CISCO-IP-URPF-MIB Support

Restrictions for CISCO-IP-URPF-MIB Support

Information About CISCO-IP-URPF-MIB Support

Implementation of Unicast RPF Notification

Elements of Unicast RPF Notification

Global Scalars

Global Tables

Per-Interface Statistics

Per-Interface Configuration

Drop-Rate Computation

How to Configure Unicast RPF Drop-Rate Notification

Configuring Unicast RPF Drop-Rate Notification via Syslog

SUMMARY STEPS

DETAILED STEPS

Configuring Unicast RPF Drop-Rate Notification via SNMP

SUMMARY STEPS

DETAILED STEPS

Verifying the Unicast RPF Configuration

SUMMARY STEPS

DETAILED STEPS

Examples

Configuration Examples for CISCO-IP-URPF-MIB Support

Configuring Unicast RPF Drop-Rate Notification via Syslog: Example

Configuring Unicast RPF Drop-Rate Notification via SNMP: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for CISCO-IP-URPF-MIB Support

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)