CLI Guide
Layer 3 Routing Commands 1870
Unicast RPF strict mode may be used on interfaces for which all packets
received on an interface are guaranteed to originate from the subnet assigned
to the interface. For example, a subnet composed only of end stations fulfills
this requirement. Likewise, an access layer network or a branch office where
there is only one path into and out of the network meets the requirement.
In general, uRPF should be deployed on the downstream interfaces,
preferably at the edge of the network. The further downstream uRPF is
deployed, the more granularity the operator will have in identifying spoofed
addresses.
Command History
Command introduced in version 6.6 firmware.
Example
console#configure
console(config)#system urpf enable
Warning! Enabling the system uRPF mode toggles the global routing mode in all
VRFs, disrupting the L3 forwarding plane and control plane for few seconds.
Enabling this mode also reduces the Route Table capacity.
ip verify unicast source
Use the ip verify unicast source command to enable loose uRPF checks on an
interface. Use the no form of the command to disable uRPF checks on the
interface.
Syntax
ip verify unicast source reachable-via {any | rx} [allow-default]
no ip verify unicast source reachable-via
• any—The uRPF verification mode is set to loose. In any mode, a check is
performed to see if the source address is reachable in the routing table and
when found the packet is forwarded.
• rx—The uRPF verification mode is set to strict. In rx mode, a check is
performed to see if the source address is reachable in the routing table via
the same interface as to where the packet was received and when both
these conditions are met the packet is forwarded.
• allow-default—Include IP addresses not specifically contained in the
routing table.