Unicast RPF

Cisco Express Forwarding (CEF) switching must be enabled for Unicast RPF to function. If it is not enabled, administrators can enable it with the following global configuration command: ip cef

Unicast RPF is enabled on a per-interface basis.

Strict Mode
In strict mode each incoming packet is tested against the FIB and if the incoming interface is not the best reverse path the packet check will fail. By default failed packets are discarded.

The ip verify unicast source reachable-via rx command enables Unicast RPF in strict mode. The older command to enable this function is ip verify unicast reverse-path.

In strict mode, all equal-cost "best" return paths are considered valid, meaning that it works for cases in which multiple return paths exist, provided that each path is equal in routing cost to the others (number of hops, weights, and so on), and as long as the route is in the FIB. Unicast RPF also functions when Enhanced Interior Gateway Routing Protocol (EIGRP) variants are being used and unequal candidate paths back to the source IP address exist. The strict mode works well for customer-to-ISP network edge configurations that have symmetrical flows (including some multihomed configurations in which symmetrical flows can be enforced).

Loose Mode
In loose mode each incoming packet's source address is tested against the FIB. The packet is dropped only if the source address is not reachable via any interface on that router. The source IP address for a packet must appear in the routing table.


To enable loose mode: ip verify unicast source reachable-via any




IPv6 version of the command is exactly the same and is also applied at the interface level.

IPv4: ip   verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] 
[access-list-name]

IPv6: ipv6 verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] 
[access-list-name]
 

The older IPv4 command ip verify unicast reverse-path is also available ipv6 verify unicast reverse-path.

The allow-default option may be used with either the rx or any option to include IP addresses not specifically contained in the routing table.

If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.