- Preface
- Product Overview
- Configuring the Router for the First Time
- Configuring a Supervisor Engine 720
- Configuring a Route Switch Processor 720
- Configuring NSF with SSO Supervisor Engine Redundancy
- ISSU and eFSU on Cisco 7600 Series Routers
- Configuring RPR and RPR+ Supervisor Engine Redundancy
- Configuring Interfaces
- Configuring a Supervisor Engine 32
- Configuring LAN Ports for Layer 2 Switching
- Configuring Flex Links
- Configuring EtherChannels
- Configuring VTP
- Configuring VLANs
- Configuring Private VLANs
- Configuring Cisco IP Phone Support
- Configuring IEEE 802.1Q Tunneling
- Configuring Layer 2 Protocol Tunneling
- Configuring L2TPv3
- Configuring STP and MST
- Configuring Optional STP Features
- Configuring Layer 3 Interfaces
- Configuring GTP-SLB IPV6 Support
- IP Subscriber Awareness over Ethernet
- Configuring UDE and UDLR
- Configuring Multiprotocol Label Switching on the PFC
- Configuring IPv4 Multicast VPN Support
- Configuring Multicast VPN Extranet Support
- Configuring IP Unicast Layer 3 Switching
- Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching
- Configuring IPv4 Multicast Layer 3 Switching
- Configuring MLDv2 Snooping for IPv6 Multicast Traffic
- Configuring IGMP Snooping for IPv4 Multicast Traffic
- Configuring PIM Snooping
- Configuring Network Security
- Understanding Cisco IOS ACL Support
- Configuring VRF aware 6RD Tunnels
- Configuring VLAN ACLs
- Private Hosts (Using PACLs)
- Configuring IPv6 PACL
- IPv6 First-Hop Security Features
- Configuring Online Diagnostics
- Configuring Denial of Service Protection
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Traffic Storm Control
- Unknown Unicast Flood Blocking
- Configuring PFC QoS
- Configuring PFC QoS Statistics Data Export
- Configuring MPLS QoS on the PFC
- Configuring LSM MLDP based MVPN Support
- Configuring IEEE 802.1X Port-Based Authentication
- Configuring IEEE 802.1ad
- Configuring Port Security
- Configuring UDLD
- Configuring NetFlow and NDE
- Configuring Local SPAN, RSPAN, and ERSPAN
- Configuring SNMP IfIndex Persistence
- Power Management and Environmental Monitoring
- Configuring Web Cache Services Using WCCP
- Using the Top N Utility
- Using the Layer 2 Traceroute Utility
- Configuring Bidirectional Forwarding and Detection over Switched Virtual Interface
- Configuring Call Home
- Configuring IPv6 Policy Based Routing
- Using the Mini Protocol Analyzer
- Configuring Resilient Ethernet Protocol
- Configuring Synchronous Ethernet
- Configuring Link State Tracking
- Configuring BGP PIC Edge and Core for IP and MPLS
- Configuring VRF aware IPv6 tunnels over IPv4 transport
- ISIS IPv4 Loop Free Alternate Fast Reroute (LFA FRR)
- Multicast Service Reflection
- Y.1731 Performance Monitoring
- Online Diagnostic Tests
- Acronyms
- Cisco IOS Release 15S Software Images
- Index
Configuring Network Security
This chapter contains network security information unique to the Cisco 7600 series routers, which supplements the network security information and procedures in these publications:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_command_reference_list.html

Note For complete syntax and usage information for the commands used in this chapter, refer to these publications:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html
Configuring MAC Address-Based Traffic Blocking
To block all traffic to or from a MAC address in a specified VLAN, perform this task:
This example shows how to block all traffic to or from MAC address 0050.3e8d.6400 in VLAN 12:
Configuring TCP Intercept
TCP intercept flows are processed in hardware.
For configuration procedures, refer to the Cisco IOS Security Configuration Guide, Release 12.2, “Traffic Filtering and Firewalls,” “Configuring TCP Intercept (Preventing Denial-of-Service Attacks),” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfdenl.html
Configuring Unicast Reverse Path Forwarding Check
These sections describe configuring Cisco IOS Unicast Reverse Path Forwarding check (Unicast RPF check):
- Understanding PFC3 Unicast RPF Check Support
- Unicast RPF Check Guidelines and Restrictions
- Configuring Unicast RPF Check
Understanding PFC3 Unicast RPF Check Support
For a complete explanation of how Unicast RPF check works, refer to the Cisco IOS Security Configuration Guide, Release 12.2, “Other Security Features,” “Configuring Unicast Reverse Path Forwarding” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrpf.html
The PFC3 provides hardware support for RPF check of traffic from multiple interfaces.
With strict-method Unicast RPF check, the PFC3 supports two parallel paths for all prefixes in the routing table, and up to four parallel paths for prefixes reached through any of four user-configurable RPF interface groups (each interface group can contain four interfaces).
With loose-method Unicast RPF check (also known as exist-only method), the PFC3 supports up to eight reverse-path interfaces (the Cisco IOS software is limited to eight reverse paths in the routing table).
There are four methods of performing Unicast RPF check in Cisco IOS:
- Strict Unicast RPF check
- Strict Unicast RPF check with allow-default
- Loose Unicast RPF check
- Loose Unicast RPF check with allow-default
You configure Unicast RPF check on a per-interface basis, but the PFC3 supports only one Unicast RPF method for all interfaces that have Unicast RPF check enabled. When you configure an interface to use a Unicast RPF method that is different from the currently configured method, all other interfaces in the system that have Unicast RPF check enabled use the new method.
Unicast RPF Check Guidelines and Restrictions
When configuring Unicast RPF check, follow these guidelines and restrictions:
- If you configure Unicast RPF check to filter with an ACL, the PFC determines whether or not traffic matches the ACL. The PFC sends the traffic denied by the RPF ACL to the MSFC for the Unicast RPF check. Packets permitted by the ACL are forwarded in hardware without a Unicast RPF check (CSCdz35099).
- Because the packets in a denial-of-service attack typically match the deny ACE and are sent to the MSFC for the Unicast RPF check, they can overload the MSFC.
- The PFC provides hardware support for traffic that does not match the Unicast RPF check ACL, but that does match an input security ACL.
- The PFC does not provide hardware support Unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554)
Configuring Unicast RPF Check
Configuring the Unicast RPF Check Mode
There are two Unicast RPF check modes:
- Strict check mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port.
- Exist-only check mode, which only verifies that the source IP address exists in the FIB table.

Note The most recently configured mode is automatically applied to all ports configured for Unicast RPF check.
To configure Unicast RPF check mode, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ vlan vlan_ID } | { type 1 slot/port } | { port-channel number }} |
Selects an interface to configure. Note Based on the input port, Unicast RPF check verifies the best return path before forwarding the packet on to the next destination. |
|
Router(config-if)# ip verify unicast source reachable-via { rx | any } [ allow-default ] [ list ] |
||
1.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
When configuring the Unicast RPF check mode, note the following information:
- Use the rx keyword to enable strict check mode.
- Use the any keyword to enable exist-only check mode.
- Use the allow-default keyword to allow use of the default route for RPF verification.
- Use the list option to identify an access list.
– If the access list denies network access, spoofed packets are dropped at the port.
– If the access list permits network access, spoofed packets are forwarded to the destination address. Forwarded packets are counted in the interface statistics.
– If the access list includes the logging action, information about the spoofed packets is sent to the log server.

Note When you enter the ip verify unicast source reachable-via command, the Unicast RPF check mode changes on all ports in the router.
This example shows how to enable Unicast RPF exist-only check mode on Gigabit Ethernet port 4/1:
This example shows how to enable Unicast RPF strict check mode on Gigabit Ethernet port 4/2:
This example shows how to verify the configuration:

Configuring the Multiple-Path Unicast RPF Check Mode on a PFC3
To configure the multiple-path Unicast RPF check mode on a PFC3, perform this task:
|
|
|
---|---|---|
Router(config)# mls ip cef rpf mpath { punt | pass | interface-group } |
||
Router(config)# no mls ip cef rpf mpath { punt | interface-group } |
||
When configuring multiple path RPF check, note the following information:
- punt (default)—The PFC3 performs the Unicast RPF check in hardware for up to two interfaces per prefix. Packets arriving on any additional interfaces are redirected (punted) to the MSFC3 for Unicast RPF check in software.
- pass —The PFC3 performs the Unicast RPF check in hardware for single-path and two-path prefixes. Unicast RPF check is disabled for packets coming from multipath prefixes with three or more reverse-path interfaces (these packets always pass the Unicast RPF check).
- interface-group —The PFC3 performs the Unicast RPF check in hardware for single-path and two-path prefixes. The PFC3 also performs the Unicast RPF check for up to four additional interfaces per prefix through user-configured multipath Unicast RPF check interface groups. Unicast RPF check is disabled for packets coming from other multipath prefixes that have three or more reverse-path interfaces (these packets always pass the Unicast RPF check).
This example shows how to configure multiple path RPF check:
Configuring Multiple-Path Interface Groups on a PFC3
To configure multiple-path Unicast RPF interface groups on a PFC3, perform this task:
|
|
|
---|---|---|
Router(config)# mls ip cef rpf interface-group [ 0 | 1 | 2 | 3 ] interface1 [ interface2 [ interface3 [ interface4 ]]] |
||
This example shows how to configure interface group 2:
Enabling Self-Pinging
With Unicast RPF check enabled, by default the router cannot ping itself.
To enable self-pinging, perform this task:
|
|
|
---|---|---|
Router(config)# interface {{ vlan vlan_ID } | { type 2 slot/port } | { port-channel number }} |
||
Router(config-if)# ip verify unicast source reachable-via any allow-self-ping |
||
Router(config-if)# no ip verify unicast source reachable-via any allow-self-ping |
||
2.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
This example shows how to enable self-pinging: