3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections

Information

If VLAN interfaces have IP addresses, it is important that anti-spoofing protections are in place, to prevent an attacker from spoofing an address that is illegal on that inbound interface.

Rationale:

If an attacker is allowed to 'spoof' addresses to the point that packets are permitted to arrive on the incorrect interface, it becomes possible for an attacker to spoof their trust level from a network point of view, for instance to source 'inside' addresses from an 'outside' interface.

Impact:

The URPF feature uses the same tables as the routing protocol, so the CPU impact of configuring this feature is low. However, logging of high volume URPF attacks (or URPF misconfigurations) can result in:

higher CPU impacts on the switch

as higher network utilization on the path to the logging server

higher disk utilization on the logging server

higher cpu utilization on the logging server

Because of this, URPF events, especially in higher volumes should be configured to generate a high priority alert in your logging server or SIEM.

Solution

Apply the command 'ip verify unicast source reachable-via rx' to all VLAN interfaces that have IP addresses. This forces the check to verify that the packet is arriving on the correct interface.
The command variant 'ip verify unicast source reachable-via any' is not recommended, as it only filters for valid IP addresses. If the device has a default route, then this command variant has no affect.

switch(config)# interface Vlan X
switch(config-if)# ip verify unicast source reachable-via rx

Default Value:

By default, unicast reverse forwarding protections are not enabled

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CA-9, 800-53|SC-7, 800-53|SI-4, 800-53|SI-4(4), CSCv7|6.8, CSCv7|11.2

Plugin: Cisco

Control ID: 2a36da0298557019fd3c2eb82f7fe5ebd0d188210298a76b81411396f9fde913