-
Cisco IOS Security Configuration Guide, Release 12.2SR
-
Security Overview
- Part 1: Authentication, Authorization, and Accounting (AAA)
- Part 2: Security Server Protocols
-
Part 3: Traffic Filtering, Firewalls, and Virus Detection
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
Refining an IP Access List
-
Cisco IOS Firewall Overview
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
IP Access List Entry Sequence Numbering
-
Turbo Access Control List Scalability Enhancements
-
- Configuring Cisco IOS Firewall
- Configuring Authentication Proxy
-
Access Control Lists (ACLs)
-
Part 4: Implementing IPSec and IKE
- Configuring Internet Key Exchange for IPSec VPNs
-
Configuring Security for VPNs with IPSec
-
Configuring Security for VPNs with IPSec
-
Crypto Conditional Debug Support
-
Distinguished Name Based Crypto Maps
-
Dynamic Multipoint VPN (DMVPN)
-
Cisco Easy VPN Remote
-
Easy VPN Remote RSA Signature Support
-
Easy VPN Server
-
Invalid Security Parameter Index Recovery
-
IP Security VPN Monitoring
-
IPSec Anti-Replay Window: Expanding and Disabling
-
IPsec Dead Peer Detection Periodic Message Option
-
IPSec Preferred Peer
-
IPsec Security Association Idle Timers
-
IPsec VPN Accounting
-
IPsec VPN High Availability Enhancements
-
IPSec Virtual Tunnel Interface
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
Pre-Fragmentation for IPsec VPNs
-
Real-Time Resolution for IPsec Tunnel Peer
-
Reverse Route Injection
-
SafeNet IPSec VPN Client Support
-
VRF-Aware Ipsec
-
VPN Acceleration Module (VAM)
-
-
Part 5: Implementing and Managing a PKI
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority (CA)
-
- Part 6: Other Security Features
- Part 7: Secure Infrastructure
- Part 8: Appendixes
-
Table Of Contents
Prerequisites for CISCO-IP-URPF-MIB Support
Restrictions for CISCO-IP-URPF-MIB Support
Information About CISCO-IP-URPF-MIB Support
Implementing URPF Notification
Software Basis for URPF Notification
How to Configure URPF Drop-Rate Notification
Configuring URPF Drop-Rate Notification via Syslog
Configuring URPF Drop-Rate Notification via SNMP
Verifying the URPF Configuration
Configuration Examples for CISCO-IP-URPF-MIB Support
Configuring URPF Drop-Rate Notification via Syslog: Example
Configuring URPF Drop-Rate Notification via SNMP: Example
Feature Information for CISCO-IP-URPF-MIB Support
CISCO-IP-URPF-MIB Support
First Published: December 4, 2006Last Updated: July 11, 2008Customers use the IP Unicast Reverse Path Forwarding (URPF) feature to avert denial of service (DoS) attacks by verifying the validity of the source IP of an incoming packet. The CISCO-IP-URPF-MIB has been defined to provide Simple Network Management Protocol (SNMP) notification when a specified URPF drop-rate threshold on a managed device is exceeded. The URPF drop-rate threshold can be configured globally for a device, or per interface.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your Cisco IOS software release. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for CISCO-IP-URPF-MIB Support" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for CISCO-IP-URPF-MIB Support
•
•
•
•
•
Prerequisites for CISCO-IP-URPF-MIB Support
Cisco IOS support for the CISCO-IP-URPF-MIB requires the following to be configured on the device:
•
•
•
•
Restrictions for CISCO-IP-URPF-MIB Support
•
–
–
–
–
•
Information About CISCO-IP-URPF-MIB Support
To configure a notification threshold for URPF dropped packets, you should understand the following concepts:
•
•
Implementing URPF Notification
URPF is a security feature that verifies the validity of the source IP of an incoming packet. When a packet arrives at an interface and its source IP is unknown in the routing table or is a known bad source address, URPF drops the packet. Source IP verification is done to prevent denial of service (DoS) attacks by detecting problems with the incoming packets on an interface. However, URPF is challenging to deploy without some automated monitoring capability.
The CISCO-IP-URPF-MIB allows users to specify a URPF drop-rate threshold on interfaces of a managed device, which when exceeded causes an SNMP notification to be sent. This MIB includes objects for specifying global and per-interface drop counts and drop rates, as well as a means of generating SNMP traps when the drop rate exceeds a configurable per-interface threshold.
Although some parameters can be configured globally, this feature must be configured on individual interfaces.
Software Basis for URPF Notification
The following elements make URPF drop-rate notification work:
Global Scalars
The following global scalars affect the behavior of the MIB agent in computing all drop rates and controlling notification generation:
•
This object specifies the window of time in the recent past over which the computation takes place. If there were no window (that is, the window is the epoch since booting up), an identical drop count burst at a later time would produce a smaller drop rate than one occurring earlier.
•
This object specifies how often the drop-rate computation occurs.
•
This object specifies the minimum time between notifications for a particular packet flow on an interface.
Global Tables
The CISCO-IP-URPF-MIB includes the following global tables:
•
This table contains global drop count and drop-rate objects per packet flow (for both IPv4 and IPv6). These global rates are useful for determining quickly whether there is URPF activity on the managed device at a specific time.
•
This table allows users to index drop counters by VRF, if a VRF routing table is used to determine URPF checking. The table provides a means to index all the URPF-enabled interfaces by VRF.
Per-interface Statistics
The following MIB objects track per-interface statistics:
•
This table contains the statistics for a particular packet flow on an interface.
•
This object accumulates URPF drops on an interface. Snapshots of this value are used in the drop-rate computation. Computed drop rate is specified in the cipUrpfIfDropRate object. IfURPF is configured on a subinterface, drop rates are computed.
Per-interface Configuration
The following MIB objects enable per-interface configuration.
•
This object specifies whether the system produces the cipUrpfIfDropRateNotify notification because URPF has dropped of version cipUrpfIfIpVersion IP packets on the specified interface.
•
This object specifies the drop-rate threshold value above which a notification is generated.
Drop-Rate Computation
Whenever URPF is configured on an interface, the drop-rate calculation is performed periodically (at intervals specified by the cipUrpfComputeInterval object). Drop rates are computed over a constantly sliding window, covering the period ending with the performance of the calculation and starting the configured number of seconds before the calculation.
How to Configure URPF Drop-Rate Notification
This section contains the following tasks:
•
•
•
Configuring URPF Drop-Rate Notification via Syslog
This task describes how to configure the URPF drop-rate threshold and computation parameters for notification via syslog.
Prerequisites
You must have URPF configured on the router before configuring this feature. For information about configuring URPF, see Configuring Unicast Reverse Path Forwarding.
Restrictions
This feature can be configured only with IPv4.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuring URPF Drop-Rate Notification via SNMP
This task describes how to configure the URPF drop-rate threshold and computation parameters for notification via SNMP.
Prerequisites
You must have URPF configured on the router before configuring this feature. For information about configuring URPF, see Configuring Unicast Reverse Path Forwarding.
You must enable SNMP on the router to use this feature. For information about enabling SNMP, see Configuring SNMP Support.
Restrictions
This feature can be configured only with IPv4.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Verifying the URPF Configuration
You can use the following two commands to verify the URPF configuration and troubleshoot the operation of URPF drop-rate notification.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
The last five lines in following example shows the output of the show ip interface command when URPF is configured:
Router# show ip interface ethernet 2/3Ethernet2/3 is up, line protocol is upInternet address is 10.10.5.4/16Broadcast address is 255.255.255.255Address determined by non-volatile memoryMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledOutgoing access list is not setInbound access list is not setProxy ARP is enabledLocal Proxy ARP is disabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is disabledIP Flow switching is disabledIP CEF switching is disabledIP Null turbo vectorIP Null turbo vectorIP multicast fast switching is disabledIP multicast distributed fast switching is disabledIP route-cache flags are No CEFRouter Discovery is disabledIP output packet accounting is disabledIP access violation accounting is disabledTCP/IP header compression is disabledRTP/IP header compression is disabledProbe proxy name replies are disabledPolicy routing is disabledNetwork address translation is disabledWCCP Redirect outbound is disabledWCCP Redirect inbound is disabledWCCP Redirect exclude is disabledBGP Policy Mapping is disabledInput features: uRPFIP verify source reachable-via RX, allow default0 verification drops0 suppressed verification drops0 verification drop-raterouter#The following example shows the output of the debug ip verify mib command:
Router# debug ip verify mib01:29:45: cipUrpfScalar_get, searchType 16101:29:45: ipurpfmib_get_scalars01:29:45: cipUrpfScalar_get, searchType 16101:29:45: cipUrpfScalar_get, searchType 16101:29:45: ipurpfmib_get_scalars01:29:45: cipUrpfScalar_get, searchType 16101:29:45: cipUrpfScalar_get, searchType 16101:29:45: ipurpfmib_get_scalars01:29:45: cipUrpfScalar_get, searchType 161ipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_urpf_entryipurpfmib_get_ urpf_entry01:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 101:29:45: cipUrpfIfMonEntry_get, searchType 16101:29:45: ipurpfmib_get_urpf_ifmon_entry entry: ST 161, if 1, ip 1Configuration Examples for CISCO-IP-URPF-MIB Support
This section includes the following examples:
•
•
Configuring URPF Drop-Rate Notification via Syslog: Example
The following example shows how to configure URPF drop-rate notification via syslog:
configure terminalip verify drop-rate compute window 60ip verify drop-rate compute interval 60ip verify drop-rate hold-down 60configure interface ethernet 3/0interface ethernet 3/0ip verify unicast notification threshold 750Configuring URPF Drop-Rate Notification via SNMP: Example
The following example shows how to configure URPF drop-rate notification via SNMP:
configure terminalip verify drop-rate compute window 60ip verify drop-rate compute interval 60ip verify drop-rate hold-down 60configure interface ethernet 3/0interface ethernet 3/0ip verify unicast notification threshold 750snmp trap ip verify drop-rateAdditional References
The following sections provide references related to the CISCO-IP-URPF-MIB Support feature.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.
•
•
•
•
•
•
•
Feature Information for CISCO-IP-URPF-MIB Support
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
