uRPF question
I have a question around the 'allow-default' option within uRPF.
E.g
If router has a default route and we apply uRPF loose mode to an interface using the command:
Ip verify unicast source reachable-via any allow-default
We are verifying that the packets source IP is in the FIB table, and allowing the default route to be considered as a match for the source IP.
My question is what have we actually achieved here? As every source IP will be matched using the default route and then permitted anyway, why would you use this scenario. I can't see that uRPF would ever deny a packet here.
Thanks
E.g
If router has a default route and we apply uRPF loose mode to an interface using the command:
Ip verify unicast source reachable-via any allow-default
We are verifying that the packets source IP is in the FIB table, and allowing the default route to be considered as a match for the source IP.
My question is what have we actually achieved here? As every source IP will be matched using the default route and then permitted anyway, why would you use this scenario. I can't see that uRPF would ever deny a packet here.
Thanks
Comments
-
daveyb
Member Posts: 28 ■□□□□□□□□□
allow-default with loose mode would accept any traffic, as long as you have a default in your table. It is not a very useful command.
allow-default in strict mode only allows traffic from a route not in your FIB if you are learning a default route over that link, and drops traffic that you have a more specific route for out of another interface.
eginterface fa 1/1/1 ip address 10.0.0.1 255.255.255.252 ip verify unicast source reachable-via rx allow-default interface fa 2/2/2 ip address 10.0.0.5 255.255.255.252 ip route 0.0.0.0 0.0.0.0 10.0.0.2 ip route 192.168.0.0 255.255.255.0 10.0.0.6
Traffic sourced from almost anything will be accepted on fa 1/1/1 because of the allow-default.
Traffic sourced from 192.168.0.0/24 would not be accepted on fa 1/1/1 because there will be a route in the FIB via a different interface.