# Lab - uRPF

Load **vpnv4.ospf.pe-ce.configured.cfg**

```
#IOS-XE
config replace flash:vpnv4.ospf.pe-ce.configured.cfg

#IOS-XR
configure
load bootflash:vpnv4.ospf.pe-ce.configured.cfg
commit replace
y
```

<figure><img src="/files/T64rIC1VfvztQXuWkoLQ" alt=""><figcaption></figcaption></figure>

VPNv4 and VPNv6 is fully setup using OSPF and OSPFv3 as the PE-CE protocol.

Configure strict-mode uRPF on R2 and XR1 so that spoofed packets are not permitted. Ensure that you do not break any reachability between R1 and XR2 on any IP addresses.

## Answer <a href="#a9338139-e34d-43cc-94da-41424ba212b5" id="a9338139-e34d-43cc-94da-41424ba212b5"></a>

```
#R2
interface GigabitEthernet2.12
 ip verify unicast source reachable-via rx
 ipv6 verify unicast source reachable-via rx

#XR1
int Gi0/0/0/0.1920
 ipv4 verify unicast source reachable-via rx allow-default
 ipv6 verify unicast source reachable-via rx allow-default
```

## Explanation <a href="#id-74509e73-e5dd-40b6-82eb-e6eee64edc44" id="id-74509e73-e5dd-40b6-82eb-e6eee64edc44"></a>

uRPF can be configured in either strict or loose mode. In this lab we are asked to configure strict mode, in which the route to the source must be via the interface on which the packet was received. Strict mode is configured using **reachable-via rx**, while loose mode is configured using **reachable-via any**. Loose mode just checks that a route in the RIB exists to the source IP, but it does not consider the default route nor a null route as a match.

A pitfall in this lab is to not include the **allow-default** keyword on XR1. This is needed because XR2 is originating a default route via OSPFv2 and OSPFv3:

<div align="left"><figure><img src="/files/G1NHOk0V0uLNz3u84wPw" alt=""><figcaption></figcaption></figure></div>

R1 can only reach Lo100 on XR2 by using the default route. So we need to allow the default route to pass the RPF check on XR1.

If we omit the **allow-default** keyword, R1 cannot ping XR2’s loopback:

<div align="left"><figure><img src="/files/RcSxrmgSDuSXyhtc4eWQ" alt=""><figcaption></figcaption></figure></div>

XR1 shows RPF drops:

<div align="left"><figure><img src="/files/3n2rVoUt6tZFLvrlzjzc" alt=""><figcaption></figcaption></figure></div>

If we add the **allow-default** keyword, the pings work again.

```
#XR1
int Gi0/0/0/0.1920
 ipv4 verify unicast source reachable-via rx allow-default
 ipv6 verify unicast source reachable-via rx allow-default
```

<div align="left"><figure><img src="/files/xo8Q5UHFvba0iKiqd2rW" alt=""><figcaption></figcaption></figure></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ccie-sp.gitbook.io/ccie-spv5.1-labs/labs/security/lab-urpf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.