uRPF question

danb83

I have a question around the 'allow-default' option within uRPF.

E.g
If router has a default route and we apply uRPF loose mode to an interface using the command:
Ip verify unicast source reachable-via any allow-default


We are verifying that the packets source IP is in the FIB table, and allowing the default route to be considered as a match for the source IP.


My question is what have we actually achieved here? As every source IP will be matched using the default route and then permitted anyway, why would you use this scenario. I can't see that uRPF would ever deny a packet here.


Thanks

daveyb

allow-default with loose mode would accept any traffic, as long as you have a default in your table. It is not a very useful command.

allow-default in strict mode only allows traffic from a route not in your FIB if you are learning a default route over that link, and drops traffic that you have a more specific route for out of another interface.

eg

interface fa 1/1/1
 ip address 10.0.0.1 255.255.255.252
 ip verify unicast source reachable-via rx allow-default

interface fa 2/2/2
 ip address 10.0.0.5 255.255.255.252

ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 192.168.0.0 255.255.255.0 10.0.0.6

Traffic sourced from almost anything will be accepted on fa 1/1/1 because of the allow-default.
Traffic sourced from 192.168.0.0/24 would not be accepted on fa 1/1/1 because there will be a route in the FIB via a different interface.