ip cache-invalidate-delay through monitor event-trace cef ipv6 global
ipv6 verify unicast source reachable-via
To verify that a source address exists in the FIB table and enable Unicast Reverse Path Forwarding (Unicast RPF), use the ipv6 verify unicast source reachable-via command in interface configuration mode. To disable URPF, use the no form of this command.
ipv6 verify unicast source reachable-via { rx | any } [allow-default] [allow-self-ping] [access-list-name]
no ipv6 verify unicast
Syntax Description
| rx |
Source is reachable through the interface on which the packet was received. |
| any |
Source is reachable through any interface. |
| allow-default |
(Optional) Allows the lookup table to match the default route and use the route for verification. |
| allow-self-ping |
(Optional) Allows the router to ping a secondary address. |
| access-list-name |
(Optional) Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeral. |
Command Default
Unicast RPF is disabled.
Command Modes
Interface configuration (config-if)
Command History
| Release |
Modification |
|---|---|
| 12.2(25)S |
This command was introduced. |
| 12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
| Cisco IOS XE Release 2.1 |
This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers. |
Usage Guidelines
The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in loose checking mode.
Use the ipv6 verify unicast source reachable-viacommand to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through an IPv6 router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IPv6 address spoofing.
The URPF feature checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table. If URPF does not find a reverse path for the packet, U RPF can drop or forward the packet, depending on whether an access control list (ACL) is specified in the ipv6 verify unicast source reachable-via command. If an ACL is specified in the command, then when (and only when) a packet fails the URPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for U RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the ipv6 verify unicast source reachable-via command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
U RPF events can be logged by specifying the logging option for the ACL entries used by the ipv6 verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Examples
The following example enables Unicast RPF on any interface:
ipv6 verify unicast source reachable-via any
Related Commands
| Command |
Description |
|---|---|
| ipv6 access-list |
Defines an IPv6 access list and places the router in IPv6 access list configuration mode. |
| show ipv6 interface |
Displays the usability status of interfaces configured for IPv6. |
Feedback