Configure URPF Strict Mode
Network Requirements
- PC is connected to IP Network via Device; configure the URPF strict mode on Device.
- PC simulates the attacker to send the invalid packet with the false source address to access IP Network. The URPF function of Device drops the packet.
Network Topology
Figure 16–1 Networking of configuring the URPF strict mode
Configuration Steps
Step 1: Configure VLAN and add the port to the corresponding VLAN. (Omitted)
Step 2: Configure the IP address and route of the interface; it is required that PC can access IP Network via Device. (Omitted)
Step 3: Configure the URPF strict mode.
#Enable the URPF function on Device and configure the URPF strict mode on port gigabitethernet0/1.
|
Device#configure terminal
Device(config)#ip urpf
Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#ip urpf strict
Device(config-if-gigabitethernet0/1)#exit
|
Step 4: Check the result.
#PC accesses IP Network via Device and the source address is 120.5.0.2.
There is the route to 120.5.0.2 to Device and the egress interface of the route is VLAN2. The route egress interface to the source address and the interface for receiving the packet are the same interface VLAN2. After passing the URPF strict check, the packet is forwarded by Device and PC can access IP Network.
#PC simulates the attacker to send the invalid packet with the false source address; access IP Network via Device; the source address is 120.10.0.2.
There is no route to 120.10.0.2 on Device; URPF drops the packet and PC cannot access IP Network.
Switch
.png){kind=icon}
.png){kind=logo}
.jpg)
.png){kind=logo}
