Rule ID
SV-283839r1203766_rule
Version
V1R1
CCIs
The uRPF feature is a defense against spoofing and denial-of-service attacks by verifying if the source address of any ingress packet is reachable. To mitigate attacks that rely on forged source addresses, all PE routers must enable uRPF loose mode to guarantee that all packets received from a CE router contain source addresses that are in the route table.
Review the router configuration to determine if uRPF loose mode is enabled on all CE-facing interfaces, as shown in the example below. Verify "uRPF Chk" is set to "enabled" and "uRPF Chk Mode" is set to "loose": - show router interface "TO-CE" detail | match "uRPF Chk" uRPF Chk : enabled uRPF Chk Mode : loose If "uRPF Chk" is not enabled and "uRPF Chk Mode" is not set to "loose" on all CE-facing interfaces, this is a finding.
Enable uRPF "loose" mode on all CE-facing interfaces, as shown in the example below: - configure router interface "TO-CE" urpf-check mode loose