URPF

Packets coming in to R2 FastEthernet0/0 that are not in R2's routing table will be dropped.



R2#sho run int fastEthernet 0/0
Building configuration...

Current configuration : 128 bytes
!
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip verify unicast source reachable-via rx 150
 duplex half
end



And strict mode says not only do they have to be sourced from an IP address that is in the routing table of R2, they also have to be reachable out that specific interface.


An access-list can be used to permit some source IP's that are not in the routing table.




R2#show ip route | begin Gateway
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 12.1.1.1, 00:40:53, FastEthernet0/0
      2.0.0.0/32 is subnetted, 1 subnets
C        2.2.2.2 is directly connected, Loopback0
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/2] via 23.1.1.3, 00:39:56, FastEthernet1/0
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.1.1.0/24 is directly connected, FastEthernet0/0
L        12.1.1.2/32 is directly connected, FastEthernet0/0
      23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        23.1.1.0/24 is directly connected, FastEthernet1/0
L        23.1.1.2/32 is directly connected, FastEthernet1/0

R2#show access-lists 150
Extended IP access list 150
    10 permit ip host 1.1.1.1 host 3.3.3.3
    20 permit ip host 11.11.11.11 host 3.3.3.3
    30 deny ip host 111.111.111.111 host 3.3.3.3
    40 deny ip any any log

     1.1.1.1 is in the routing table of R2 so he will not be subjected to any check

     11.11.11.11 is not in the routing table of R2 so he will be checked and permitted

     111.111.111.111 is not in the routing table of R2 so he will be checked and denied

     Anybody else who tries to sneak in will be checked, denied, and logged.

Let's ping from 1.1.1.1

R1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/39/64 ms

R3 has a route back to 1.1.1.1 so he sends the reply.

R3#sho ip route 1.1.1.1

Routing entry for 1.1.1.1/32

  Known via "ospf 1", distance 110, metric 3, type intra area

  Last update from 23.1.1.2 on FastEthernet0/0, 00:23:15 ago

  Routing Descriptor Blocks:

  * 23.1.1.2, from 1.1.1.1, 00:23:15 ago, via FastEthernet0/0

      Route metric is 3, traffic share count is 1

R2 access-list shows no match because 1.1.1.1 is in the routing table of R2 so 1.1.1.1 did not have to go through the acl.

R2#show access-lists 150

Extended IP access list 150

    10 permit ip host 1.1.1.1 host 3.3.3.3

    20 permit ip host 11.11.11.11 host 3.3.3.3

    30 deny ip host 111.111.111.111 host 3.3.3.3

    40 deny ip any any log

Let's ping from 11.11.11.11

R1#ping 3.3.3.3 source 11.11.11.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 11.11.11.11

.....

Success rate is 0 percent (0/5)

Whey did the ping fail?

11.11.11.11 should be permitted by the acl on R2.

Let's check R3.

R3 saw the packet come in.

R3#

*Apr  1 22:43:22.335: ICMP: echo reply sent, src 3.3.3.3, dst 11.11.11.11, topology BASE, dscp 0 topoid 0

R3#

R3 has no route back to 11.11.11.11 so he does not send any reply.


R3#show ip route 11.11.11.11
% Network not in table

On R2 we see the matches this time because 11.11.11.11 is not in the routing table of R2 therefore he is subject to the check by the access-list.

R2#show access-lists 150

Extended IP access list 150

    10 permit ip host 1.1.1.1 host 3.3.3.3

    20 permit ip host 11.11.11.11 host 3.3.3.3 (5 matches)

    30 deny ip host 111.111.111.111 host 3.3.3.3

    40 deny ip any any log

11.11.11.11 was permitted through by R2.

The reason the ping failed was because R3 had no route back to the source.

Let's ping from 111.111.111.111

R1#ping 3.3.3.3 source 111.111.111.111

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 111.111.111.111

.....

Success rate is 0 percent (0/5)

This ping also fails.

But this time it failed because it was denied by R2.

R3 did  not see any packet come in from 111.111.111.111.

R3#show debugging

Generic IP:

  ICMP packet debugging is on

R3#

R3#

R3#

R3#

R3#

Because it was denied by the URPF acl on R2.

R2#show access-lists 150

Extended IP access list 150

    10 permit ip host 1.1.1.1 host 3.3.3.3

    20 permit ip host 11.11.11.11 host 3.3.3.3 (5 matches)

    30 deny ip host 111.111.111.111 host 3.3.3.3 (5 matches)

    40 deny ip any any log

Now what if somebody else tries to get thorugh?


R1#ping 3.3.3.3 source 192.168.34.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.34.7
.....
Success rate is 0 percent (0/5)

He is denied and logged by the last line of the acl on R2.

R2#show access-lists 150

Extended IP access list 150

    10 permit ip host 1.1.1.1 host 3.3.3.3

    20 permit ip host 11.11.11.11 host 3.3.3.3 (5 matches)

    30 deny ip host 111.111.111.111 host 3.3.3.3 (5 matches)

    40 deny ip any any log (5 matches)

R2#

*Apr  1 22:48:56.203: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.34.7 -> 3.3.3.3 (0/0), 1 packet

R2#

types of OSPF messages

ah-md5-hmac esp-3des

esp-aes esp-sha-hmac

esp-aes esp-sha-hmac

                          50    ESP                Encap Security Payload             Y        [RFC4303]

Step 1.  Load initial configurations.  (see below)



Step 2.  Turn off console logging on R1 because you are using the log keyword in your acl and you'll be getting a lot of hits.  Use the show logging | include ACCESS to look at your hits.

(Remember ip access-list log-update threshold 1 guys.)



Step 3.  remove tunnel protection on R3.



Step 4.  Clear access-list counters and logging buffer on R1.

Step 5.  apply tunnel-protection on R3.




Step 6.   Sit back and enjoy the show.

                                       

                                          Show your access-list and logging buffer.

initial configs


======== R1 ============


R1#sho run
Building configuration...

Current configuration : 2533 bytes
!
! Last configuration change at 22:34:25 UTC Fri Mar 30 2018
upgrade fpd auto
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 23.1.1.3
!
!
crypto ipsec transform-set IPSEC-TRANSFORM-SET esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set IPSEC-TRANSFORM-SET
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
 ip address 13.1.1.1 255.255.255.0
 tunnel source 12.1.1.1
 tunnel destination 23.1.1.3
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 ip address 12.1.1.1 255.255.255.0
 ip access-group PACKET-COUNTER in
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 12.1.1.1 0.0.0.0 area 0
!
router bgp 100
 bgp log-neighbor-changes
 neighbor 13.1.1.3 remote-as 300
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended PACKET-COUNTER
 permit gre host 23.1.1.3 host 12.1.1.1
 permit ospf any any
 permit tcp any eq bgp any
 permit tcp any any eq bgp
 permit icmp host 23.1.1.3 host 12.1.1.1 port-unreachable
 permit icmp any any 0 0 log
 permit icmp any any log
 permit ahp any any log
 permit esp any any log
 permit pcp any any log
 permit udp any any eq isakmp log
 permit ip any any log
!
ip access-list log-update threshold 1
no cdp log mismatch duplex
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

R1#
R1#
R1#
R1#



======== R2 ============



R2#sho run
Building configuration...

Current configuration : 1518 bytes
!
! Last configuration change at 20:48:23 UTC Fri Mar 30 2018
upgrade fpd auto
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 ip address 12.1.1.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 ip address 23.1.1.2 255.255.255.0
 serial restart-delay 0
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

R2#





======== R3 ============




R3#sho run
Building configuration...

Current configuration : 2044 bytes
!
! Last configuration change at 23:52:44 UTC Fri Mar 30 2018
upgrade fpd auto
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 12.1.1.1
!
!
crypto ipsec transform-set IPSEC-TRANSFORM-SET esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set IPSEC-TRANSFORM-SET
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel1
 ip address 13.1.1.3 255.255.255.0
 tunnel source 23.1.1.3
 tunnel destination 12.1.1.1
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 ip address 23.1.1.3 255.255.255.0
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 0
 network 23.1.1.3 0.0.0.0 area 0
!
router bgp 300
 bgp log-neighbor-changes
 neighbor 13.1.1.1 remote-as 100
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

R3#



====================================================================

Drop these commands in to R1 to quickly clear counters and load show commands for ready up arrow usage........



enable




clear logging




clear access-list counters




show access-lists


show logging | include ACCESS




.