NET0950 - uRPF strict mode or ACL not enabled on egress interface - 'access-list URPF_ACL deny ip any any log'

Information

The network device must not accept any outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF) Strict mode or via egress ACL.

When Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the router would use to forward the return packet.

NOTE: Change 'URPF_ACL' to the access control list number for your organization's uRPF configuration.

Solution

Configure the network device from accepting any outbound IP packet that contains an illegitimate address in the source address field by enabling uRPF Strict mode or via egress ACL.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|I, Rule-ID|SV-3164r2_rule, STIG-ID|NET0950, Vuln-ID|V-3164

Plugin: Cisco

Control ID: 6ee6af73edae6ee0b8db256992bd2cd7fe914ce71f9de976e7a4452a920b8df5