unicast source reachable-via rx

johnwest43johnwest43 Member Posts: 294
Not sure if this is the correct place for this but it seems security releated to me.

Does this command have any use if i have the ios firewall configured? And if so where should you apply it, the inside (LAN interface) or the outside (Internet interface)?

thanks
CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014

Comments

  • johnwest43johnwest43 Member Posts: 294
    Anyone ?

    1000 cool points to the first response:D
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • networker050184networker050184 Mod Posts: 11,962 Mod
    What are you trying to accomplish? uRPF isn't directly related to the IOS firewall feature, if that is what you are asking.
    An expert is a man who has made all the mistakes which can be made.
  • johnwest43johnwest43 Member Posts: 294
    I know its not related to the firewall feature, i am just curious thats all. seems you can accomplish the same thing with an access list.
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You could basically do the same thing with ACLs, but they must be updated manually. uRPF uses the routing table so it will always have the latest information on the reverse path for traffic.
    An expert is a man who has made all the mistakes which can be made.
  • jason_lundejason_lunde Member Posts: 567
    johnwest43 wrote: »
    Not sure if this is the correct place for this but it seems security releated to me.

    Does this command have any use if i have the ios firewall configured? And if so where should you apply it, the inside (LAN interface) or the outside (Internet interface)?

    thanks

    "they", though I dont know quite who they are, say to do it on your outside interfaces.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    "they", though I dont know quite who they are, say to do it on your outside interfaces.

    Definitely better on the outside interface in this set up. The way that uRPF works is its going to look up the destination interface for the source address. You are going to have your internal networks known and you can just use the allow default option to cover all internet routes unless you are receiving a full table. If you start multihoming and have asymetric routing than it can become an issue.
    An expert is a man who has made all the mistakes which can be made.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Also uRPF gets loaded into CEF, depending on the platform and if/how it handles distribution to hardware accelerating line cards it can be more efficient than the same rules via an ACL. Mostly though as mentioned it's more convenient at your edge since it's essentially self updating as long as your routing table is accurate.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.