3.2 Troubleshoot router security features
📘CCNP Enterprise – ENARSI (300-410)
1. What is uRPF?
uRPF is a security feature on Cisco routers that helps prevent IP address spoofing. IP spoofing is when a device sends packets claiming to be from a fake or unauthorized IP address. Attackers use spoofing for attacks like DDoS.
uRPF works by checking the source IP address of incoming packets to make sure it matches a valid path in the router’s routing table.
Think of it as a router double-checking that the packet came from the network it says it came from. If it doesn’t match, the router can drop the packet.
2. How uRPF Works
uRPF operates on ingress traffic (incoming packets).
The router examines each incoming packet’s source IP:
- Looks up the routing table.
- Checks if there is a valid route back to that source IP on the interface the packet arrived on.
- If the check passes, the packet is forwarded normally.
- If the check fails, the packet is dropped or logged (depending on configuration).
This ensures packets with spoofed source IPs don’t enter the network.
3. uRPF Modes
Cisco routers support three modes of uRPF:
a) Strict Mode (recommended for most networks)
- Checks if the best route to the source IP exists AND it comes from the same interface that the packet arrived on.
- If not, the packet is dropped.
- Advantage: Very secure.
- Limitation: Can cause legitimate traffic drops in networks with asymmetric routing (where the return path differs from the incoming path).
Example configuration:
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip verify unicast source reachable-via rx
b) Loose Mode
- Checks if the source IP exists anywhere in the routing table, regardless of the incoming interface.
- Advantage: Works well in asymmetric routing environments.
- Limitation: Less strict than strict mode, so slightly lower security.
Example configuration:
interface GigabitEthernet0/1
ip verify unicast source reachable-via any
c) Disabled Mode
- uRPF is not active on the interface.
- The router does not check source IPs for validity.
4. Key Points for the Exam
- uRPF is mainly used to protect against spoofed IP attacks.
- Strict mode: Drops packets if the source IP route does not match the incoming interface.
- Loose mode: Drops packets if the source IP does not exist in the routing table.
- Asymmetric routing may require loose mode to avoid dropping legitimate traffic.
- uRPF is applied on ingress interfaces (interfaces receiving traffic).
- You can log dropped packets using the
logkeyword in configuration.
5. Example Scenario in a Network
Imagine a router receives a packet with source IP 10.1.1.5 on interface Gi0/1:
- In strict mode, uRPF checks: “Does the routing table say I would reach 10.1.1.5 via Gi0/1?”
- If yes → forward the packet.
- If no → drop it.
- In loose mode, uRPF checks: “Does the routing table know any route to 10.1.1.5?”
- If yes → forward the packet.
- If no → drop it.
6. Troubleshooting uRPF
For the exam, you need to know how to verify and troubleshoot uRPF:
a) Show commands
show ip interface <interface>→ check if uRPF is enabled on an interface and in which mode.show logging→ see if packets are being dropped and logged.debug ip verify→ (in lab scenarios) see real-time uRPF checks.
b) Common issues
- Legitimate traffic dropped due to asymmetric routing → solution: use loose mode.
- Misconfigured interface → uRPF not working → solution: check
ip verify unicastconfig.
7. Exam Tips
- Always mention mode (strict vs loose) when describing uRPF.
- Remember uRPF is for ingress filtering and anti-spoofing.
- For troubleshooting questions, think:
- Which interface received the packet?
- Does the routing table match the source IP?
- Which mode is configured?
✅ Summary Table
| uRPF Mode | What it checks | Use Case |
|---|---|---|
| Strict | Source IP reachable via the same interface | Symmetric routing, maximum security |
| Loose | Source IP exists anywhere in routing table | Asymmetric routing, less strict |
| Disabled | No source check | Not recommended for security |
