IP Packets Spoofing Prevention
Cisco IOS provides two features to prevent IP packets spoofing. One is called uRPF (Unicast Reverse Path Forwarding), which is handled on Layer 3 (Network Layer). The other is called IP Source Guard, which is handled on Layer 2 (Data Link Layer), consequently, it applies to LAN Switches.
uRPF is the concept of verifying the routing path for the source IP address found in an IP packet. As we have known, packets arrive on the interfaces that are on the shortest path to the source of the packets. However, with IP spoofing attacks, a malicious user may inject packets with IP address not belonging to its segment or network. Under uRPF check, such packets may appera on the interfaces not on the shortest path to their source. This feature has two modes
- Strict Mode: ip verify unicast source reachable-via rx command. The source IP address must match an explicit IP route in the routing table, and, the most important, the next hop for this entry should point out of the interface the packet was received from.
- Loose mode: ip verify unicast source reachable-via any. It just checks that it has an IP route matching the source address in the packet. It doesn’t matter whether the next hop for this route points out the receiving interface or not.
IP Source Guard is intended to prevent IP packet spoofing at Layer 2. When you enable IP Source Guard on a port, the switch applies a Layer 3 filter to this port, only accepting the packets with source IP addresses matching DHCP snooping bindings created for the port. Enabling DHCP snooping is a prerequisite. As soon as you enable IP Source Guard, the switch only permits IP packets that match the DHCP snooping database or static IP to MAC addresses and port bindings. The switch also allows ingress DHCP packets for hosts to obtain IP addresses.
interface FastEthernet 0/1
ip verify source port-security
switchport port-security maximum 1
switchport port-security
