3.1.4 Set 'ip verify unicast source reachable-via'

Information

Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).

Rationale:

Enabled uRPF helps mitigate IP spoofing by ensuring only packet source IP addresses only originate from expected interfaces. Configure unicast reverse-path forwarding (uRPF) on all external or high risk interfaces.

Impact:

Organizations should plan and implement enterprise security policies that protect the confidentiality, integrity, and availability of network devices. The 'unicast Reverse-Path Forwarding' (uRPF) feature dynamically uses the router table to either accept or drop packets when arriving on an interface.

Solution

Configure uRPF.

hostname(config)#interface {<em>interface_name</em>}
hostname(config-if)#ip verify unicast source reachable-via rx

Default Value:

Unicast RPF is disabled.

See Also

https://workbench.cisecurity.org/files/3829

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|SC-23, CSCv7|11

Plugin: Cisco

Control ID: 6843b89ea181336cb7c2ff1c0ea00a4913adff512cb3174a43f1a3f002bc9d07