Lab - uRPF

Load vpnv4.ospf.pe-ce.configured.cfg

#IOS-XE
config replace flash:vpnv4.ospf.pe-ce.configured.cfg

#IOS-XR
configure
load bootflash:vpnv4.ospf.pe-ce.configured.cfg
commit replace
y

VPNv4 and VPNv6 is fully setup using OSPF and OSPFv3 as the PE-CE protocol.

Configure strict-mode uRPF on R2 and XR1 so that spoofed packets are not permitted. Ensure that you do not break any reachability between R1 and XR2 on any IP addresses.

Answer

#R2
interface GigabitEthernet2.12
 ip verify unicast source reachable-via rx
 ipv6 verify unicast source reachable-via rx

#XR1
int Gi0/0/0/0.1920
 ipv4 verify unicast source reachable-via rx allow-default
 ipv6 verify unicast source reachable-via rx allow-default

Explanation

uRPF can be configured in either strict or loose mode. In this lab we are asked to configure strict mode, in which the route to the source must be via the interface on which the packet was received. Strict mode is configured using reachable-via rx, while loose mode is configured using reachable-via any. Loose mode just checks that a route in the RIB exists to the source IP, but it does not consider the default route nor a null route as a match.

A pitfall in this lab is to not include the allow-default keyword on XR1. This is needed because XR2 is originating a default route via OSPFv2 and OSPFv3:

R1 can only reach Lo100 on XR2 by using the default route. So we need to allow the default route to pass the RPF check on XR1.

If we omit the allow-default keyword, R1 cannot ping XR2’s loopback:

XR1 shows RPF drops:

If we add the allow-default keyword, the pings work again.

#XR1
int Gi0/0/0/0.1920
 ipv4 verify unicast source reachable-via rx allow-default
 ipv6 verify unicast source reachable-via rx allow-default

PreviousNotes - VTY lines (IOS-XR)NextLab - MPP

Last updated 10 months ago

hashtagAnswer

hashtagExplanation

Answer

Explanation