uRPF question

danb83danb83 Posts: 22Member ■□□□□□□□□□
I have a question around the 'allow-default' option within uRPF.

If router has a default route and we apply uRPF loose mode to an interface using the command:
Ip verify unicast source reachable-via any allow-default

We are verifying that the packets source IP is in the FIB table, and allowing the default route to be considered as a match for the source IP.

My question is what have we actually achieved here? As every source IP will be matched using the default route and then permitted anyway, why would you use this scenario. I can't see that uRPF would ever deny a packet here.



  • daveybdaveyb Posts: 28Member ■□□□□□□□□□
    allow-default with loose mode would accept any traffic, as long as you have a default in your table. It is not a very useful command.

    allow-default in strict mode only allows traffic from a route not in your FIB if you are learning a default route over that link, and drops traffic that you have a more specific route for out of another interface.

    interface fa 1/1/1
     ip address
     ip verify unicast source reachable-via rx allow-default
    interface fa 2/2/2
     ip address
    ip route
    ip route

    Traffic sourced from almost anything will be accepted on fa 1/1/1 because of the allow-default.
    Traffic sourced from would not be accepted on fa 1/1/1 because there will be a route in the FIB via a different interface.
Sign In or Register to comment.