Notes - uRPF

IOS-XR

uRPF on IOS-XR uses the following interface-level command:

{ipv4 | ipv6} verify unicast source reachable-via {any | rx} [allow-default]
[allow-self-ping]

• any means loose RPF, in which a route to the source simply has to exist in the RIB

• rx means strict RPF, in which a route to the source must be via the incoming interface

• allow-default can be used with both loose and strict mode. By default the default route is never considered a match for uRPF.

• allow-self-ping allows the router to ping itself

Note that unlike IOS-XE, we cannot apply an ACL to this to override any uRPF drops.

Use show cef ipv4 interface tenGigE 0/0/0/1 to verify uRPF is enabled and in which mode. Use show cef ipv4 interface tenGigE 0/0/0/1 rpf-statistics to verify drop count.

IOS-XE

IOS-XE also gives us the ability to add an ACL to the uRPF check. Either standard or extended numbered ACLs can be used for IPv4. Named ACLs can be used for IPv6. If uRPF drops the traffic, the ACL is verified next. If the ACL passes the traffic (it matches a permit statement), the traffic is passed. In this case, uRPF still logs a drop.

ip|ipv6 verify unicast source reachable-via {any | rx} [allow-default]
[allow-self-ping] [1-199, 1300-2699] [named IPv6 ACL]

You can use this to log uRPF drops by using a deny any/any ACL with the log option.

If there are multiple ECMP routes to a destination, all are considered valid input interfaces for that source address.