Filter
Top Products
59-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 59 Configuring Router Interfaces
Advanced Interface Settings Page
Mode How strict to make unicast RFP:
• Loose Mode—The default. Examines incoming packets to
determine whether the source address is in the Forwarding
Information Base (FIB) and permits the packet if the source is
reachable through any interface on the router.
Use loose mode on interfaces where asymmetric paths allow
packets from valid source networks (networks contained in the
FIB). For example, routers that are in the core of an ISP network
have no guarantee that the best forwarding path out of the router
will be the path selected for packets returning to the router.
• Strict Mode—Examines incoming packets to determine whether
the source address is in the FIB and permits the packet only if the
source is reachable through the interface on which the packet was
received.
Use strict mode on interfaces where only one path allows packets
from valid source networks (networks contained in the FIB). Also,
use strict mode when a router has multiple paths to a given network
as long as the valid networks are switched through the incoming
interfaces. Packets for invalid networks are dropped. For example,
routers at the edge of the network of an ISP are likely to have
symmetrical reverse paths. Strict mode is also applicable in certain
multihomed situations, provided that optional Border Gateway
Protocol (BGP) attributes, such as weight and local preference, are
used to achieve symmetric routing.
Allow Use Of Default Route
for RFP Verification
Whether to permit Unicast RPF to successfully match on prefixes that
are known through the default route when determining whether to pass
packets. Normally, sources found in the FIB but only by way of the
default route are dropped.
Allow Self Ping Whether to allow the router to ping its own interfaces. By default, when
you enable Unicast RPF, packets that are generated by the router and
destined to the router are dropped, thereby making certain
troubleshooting and management tasks difficult to accomplish.
Caution Allowing self-ping opens a potential denial of service (DoS)
hole.
ACL
(For Unicast RFP)
If you enable unicast RFP, you can apply an ACL to refine how packets
are handled when a reverse path is not found. If you specify an ACL,
when (and only when) a packet fails the Unicast RPF check, the ACL
is checked to determine whether the packet should be dropped (using a
deny statement in the ACL) or forwarded (using a permit statement in
the ACL). Enter the name of a standard or extended ACL object, or
click Select to select an object from a list or to create a new object.
Table 59-6 Advanced Interface Settings Dialog Box (Continued)
Element Description