-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
-
Automatic Signature Extraction
-
Cisco IOS Firewall Overview
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Unicast Reverse Path Forwarding (uRPF)
- Threat Information Distribution Protocol (TIDP) and TMS
-
Table Of Contents
Prerequisites for CISCO-IP-URPF-MIB Support
Restrictions for CISCO-IP-URPF-MIB Support
Information About CISCO-IP-URPF-MIB Support
Implementation of Unicast RPF Notification
Elements of Unicast RPF Notification
How to Configure Unicast RPF Drop-Rate Notification
Configuring Unicast RPF Drop-Rate Notification via Syslog
Configuring Unicast RPF Drop-Rate Notification via SNMP
Verifying the Unicast RPF Configuration
Configuration Examples for CISCO-IP-URPF-MIB Support
Configuring Unicast RPF Drop-Rate Notification via Syslog: Example
Configuring Unicast RPF Drop-Rate Notification via SNMP: Example
Feature Information for CISCO-IP-URPF-MIB Support
CISCO-IP-URPF-MIB Support
First Published: December 4, 2006Last Updated: July 2, 2009The CISCO-IP-URPF-MIB provides Simple Network Management Protocol (SNMP) notification when a specified drop-rate threshold on a managed device is exceeded. You use the IP Unicast Reverse Path Forwarding (RPF) feature to avert denial of service (DoS) attacks by verifying the validity of the source IP of an incoming packet. You can configure the Unicast RPF drop-rate threshold globally for a device or per interface.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for CISCO-IP-URPF-MIB Support" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for CISCO-IP-URPF-MIB Support
•
•
•
•
•
Prerequisites for CISCO-IP-URPF-MIB Support
Cisco IOS support for the CISCO-IP-URPF-MIB requires that the following features are configured on the device:
•
•
•
•
Restrictions for CISCO-IP-URPF-MIB Support
•
–
–
–
–
•
Information About CISCO-IP-URPF-MIB Support
To configure a notification threshold for Unicast RPF dropped packets, you should understand the following concepts:
•
•
Implementation of Unicast RPF Notification
Unicast RPF is a security feature that verifies the validity of the source IP of an incoming packet. When a packet arrives at an interface and its source IP is unknown in the routing table or is a known bad source address, Unicast RPF drops the packet. Source IP verification is done to prevent denial of service (DoS) attacks by detecting problems with the incoming packets on an interface. However, Unicast RPF is challenging to deploy without some automated monitoring capability.
The CISCO-IP-URPF-MIB lets you specify a Unicast RPF drop-rate threshold on interfaces of a managed device, which sends an SNMP notification when the threshold is exceeded. The MIB includes objects for specifying global and per-interface drop counts and drop rates as well as a way to generate SNMP traps when the drop rate exceeds a configurable per-interface threshold.
Although you can configure some parameters globally, you must configure this feature on individual interfaces.
Elements of Unicast RPF Notification
The following elements make Unicast RPF drop-rate notification work:
Global Scalars
The following global scalars affect how the MIB agent computes all drop rates and generates notifications:
•
•
•
Global Tables
The CISCO-IP-URPF-MIB includes the following global tables:
•
•
Per-Interface Statistics
The following MIB objects track per-interface statistics:
•
•
Per-Interface Configuration
The following MIB objects enable per-interface configuration:
•
•
Drop-Rate Computation
Whenever Unicast RPF is configured on an interface, the drop-rate calculation is done periodically (at intervals specified by the cipUrpfComputeInterval object). Drop rates are computed over a constantly-sliding window, which covers the period starting at the configured number of seconds before the calculation and ending with the performance of the calculation.
How to Configure Unicast RPF Drop-Rate Notification
This section contains the following procedures:
•
•
•
Configuring Unicast RPF Drop-Rate Notification via Syslog
To configure the Unicast RPF drop-rate threshold and computation parameters for notification via syslog, perform the steps in this section.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuring Unicast RPF Drop-Rate Notification via SNMP
To configure the Unicast RPF drop-rate threshold and computation parameters for notification via SNMP, perform the steps in this section.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Verifying the Unicast RPF Configuration
To verify the Unicast RPF configuration and troubleshoot the operation of Unicast RPF drop-rate notifications, perform the steps in this section.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
The last five lines in following example show the output of the show ip interface command when Unicast RPF is configured:
Router# show ip interface ethernet 2/3Ethernet2/3 is up, line protocol is upInternet address is 10.10.5.4/16Broadcast address is 255.255.255.255Address determined by non-volatile memoryMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledOutgoing access list is not setInbound access list is not setProxy ARP is enabledLocal Proxy ARP is disabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is disabledIP Flow switching is disabledIP CEF switching is disabledIP Null turbo vectorIP Null turbo vectorIP multicast fast switching is disabledIP multicast distributed fast switching is disabledIP route-cache flags are No CEFRouter Discovery is disabledIP output packet accounting is disabledIP access violation accounting is disabledTCP/IP header compression is disabledRTP/IP header compression is disabledProbe proxy name replies are disabledPolicy routing is disabledNetwork address translation is disabledWCCP Redirect outbound is disabledWCCP Redirect inbound is disabledWCCP Redirect exclude is disabledBGP Policy Mapping is disabledInput features: uRPFIP verify source reachable-via RX, allow default0 verification drops0 suppressed verification drops0 verification drop-rateRouter#The following example shows the output of the debug ip verify mib command:
Router# debug ip verify mib01:29:45: cipUrpfScalar_get, searchType 16101:29:45: ipurpfmib_get_scalars01:29:45: cipUrpfScalar_get, searchType 16101:29:45: cipUrpfScalar_get, searchType 16101:29:45: ipurpfmib_get_scalars01:29:45: cipUrpfScalar_get, searchType 16101:29:45: cipUrpfScalar_get, searchType 16101:29:45: ipurpfmib_get_scalars01:29:45: cipUrpfScalar_get, searchType 161ipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_ urpf_entry01:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1Configuration Examples for CISCO-IP-URPF-MIB Support
This section provides the following configuration examples:
•
•
Configuring Unicast RPF Drop-Rate Notification via Syslog: Example
The following example shows how to configure Unicast RPF drop-rate notification via syslog:
Router> enableRouter# configure terminalRouter(config)# ip verify drop-rate compute window 60Router(config)# ip verify drop-rate compute interval 60Router(config)# ip verify drop-rate hold-down 60Router(config)# interface ethernet 3/0Router(config-if)# ip verify unicast notification threshold 750Router(config-if)# endConfiguring Unicast RPF Drop-Rate Notification via SNMP: Example
The following example shows how to configure Unicast RPF drop-rate notification via SNMP:
Router> enableRouter# configure terminalRouter(config)# ip verify drop-rate compute window 60Router(config)# ip verify drop-rate compute interval 60Router(config)# ip verify drop-rate hold-down 60Router(config)# interface ethernet 3/0Router(config-if)# ip verify unicast notification threshold 750Router(config-if)# snmp trap ip verify drop-rateRouter(config-if)# endAdditional References
The following sections provide references related to the CISCO-IP-URPF-MIB Support feature.
Related Documents
Configuring Unicast RPF
"Configuring Unicast Reverse Path Forwarding" module in the Cisco IOS Security Configuration Guide: Securing the Data Plane
Configuring SNMP
"Configuring SNMP Support" module in the Cisco IOS Network Management Configuration Guide
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Feature Information for CISCO-IP-URPF-MIB Support
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator lets you determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.
