General Notes
- Stands for Unicast Reverse Path Forwarding
- Used to eliminate spoofed packets on a network by validating the return network path of ingress traffic
- Requires CEF to be enabled on the device
uRPF Modes
- Strict mode
- If the return path to the source IP of the traffic does not match the ingress interface, the traffic will be discarded
- Configured with the
rx flag on the ip verify unicast source command
- Loose mode
- If a return path to the source IP of the traffic does not exist in the routing table, the traffic will be discarded
- Configured with the
any flag on the ip verify unicast source command
- Allow-default
- Used to allow a default route to be used as a return path - by default this is not allowed with uRPF
- Configured with the
allow-default flag on the ip verify unicast source command
Useful debugs
show cef interface <interface-name> - Will show whether CEF, uRPF is enabled
Standard uRPF Config
int gi0/0
ip verify unicast source reachable-via [rx | any] [allow-default]