InformationIf VLAN interfaces have IP addresses, it is important that anti-spoofing protections are in place, to prevent an attacker from spoofing an address that is illegal on that inbound interface.
If an attacker is allowed to 'spoof' addresses to the point that packets are permitted to arrive on the incorrect interface, it becomes possible for an attacker to spoof their trust level from a network point of view, for instance to source 'inside' addresses from an 'outside' interface.
The URPF feature uses the same tables as the routing protocol, so the CPU impact of configuring this feature is low. However, logging of high volume URPF attacks (or URPF misconfigurations) can result in:
higher CPU impacts on the switch
as higher network utilization on the path to the logging server
higher disk utilization on the logging server
higher cpu utilization on the logging server
Because of this, URPF events, especially in higher volumes should be configured to generate a high priority alert in your logging server or SIEM.
SolutionApply the command 'ip verify unicast source reachable-via rx' to all VLAN interfaces that have IP addresses. This forces the check to verify that the packet is arriving on the correct interface.
The command variant 'ip verify unicast source reachable-via any' is not recommended, as it only filters for valid IP addresses. If the device has a default route, then this command variant has no affect.
switch(config)# interface Vlan X
switch(config-if)# ip verify unicast source reachable-via rx
By default, unicast reverse forwarding protections are not enabled