Re: [c-nsp] Purposed of uRPF's "allow-default" Option?

Fri, 29 Jan 2010 14:15:28 -0800 

Hi Devon -
With loose mode uRPF ("reachable-via any"), "allow-default" does mean that any packet will pass the uRPF check (unless the default route goes away). 


However, with strict mode uRPF ("reachable-via rx") with 
allow-default, traffic not matching a more specific prefix only 
passes the RPF check if it arrives on the interface(s) where the 
default is learned (and of course, only if the default route is 
present in the routing table).


Hope that helps,
Tim


At 01:35 PM 1/29/2010, Devon True declared:


All:

I am curious what the purpose of uRPF's "allow-default" option is? Based
on Cisco's page explaining the command, I interpret that it allows uRPF
to match on a default route... but doesn't that defeat the purpose of uRPF?

My best guess is that it allows you to set static routes for networks
whose source IPs you want to drop (using the null interface) while
allowing everything else.

e.g.

interface Vlan100
 ip verify unicast source reachable-via any allow-default
!
ip route 192.168.0.0 255.255.255.0 null0
ip route 0.0.0.0 0.0.0.0 x.x.x.x

uRPF would allow Vlan100 to use any source IP address except
192.168.0.0/24. Is that correct?

<http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html>http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html

Thanks!

--
Devon
_______________________________________________
cisco-nsp mailing list  [email protected]
<https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at 
<http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/





Tim Stevenson, [email protected]
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






















					Reply via email to