uRPF question

I have a question around the 'allow-default' option within uRPF.

E.g
If router has a default route and we apply uRPF loose mode to an interface using the command:
Ip verify unicast source reachable-via any allow-default

We are verifying that the packets source IP is in the FIB table, and allowing the default route to be considered as a match for the source IP.

My question is what have we actually achieved here? As every source IP will be matched using the default route and then permitted anyway, why would you use this scenario. I can't see that uRPF would ever deny a packet here.

Thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

daveyb

allow-default with loose mode would accept any traffic, as long as you have a default in your table. It is not a very useful command.

allow-default in strict mode only allows traffic from a route not in your FIB if you are learning a default route over that link, and drops traffic that you have a more specific route for out of another interface.

eg

interface fa 1/1/1
 ip address 10.0.0.1 255.255.255.252
 ip verify unicast source reachable-via rx allow-default

interface fa 2/2/2
 ip address 10.0.0.5 255.255.255.252

ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 192.168.0.0 255.255.255.0 10.0.0.6

Traffic sourced from almost anything will be accepted on fa 1/1/1 because of the allow-default.
Traffic sourced from 192.168.0.0/24 would not be accepted on fa 1/1/1 because there will be a route in the FIB via a different interface.