[c-nsp] Purposed of uRPF's "allow-default" Option?
Tim Stevenson
tstevens at cisco.com
Fri Jan 29 17:10:20 EST 2010
Hi Devon -
With loose mode uRPF ("reachable-via any"), "allow-default" does mean
that any packet will pass the uRPF check (unless the default route goes away).
However, with strict mode uRPF ("reachable-via rx") with
allow-default, traffic not matching a more specific prefix only
passes the RPF check if it arrives on the interface(s) where the
default is learned (and of course, only if the default route is
present in the routing table).
Hope that helps,
Tim
At 01:35 PM 1/29/2010, Devon True declared:
>All:
>
>I am curious what the purpose of uRPF's "allow-default" option is? Based
>on Cisco's page explaining the command, I interpret that it allows uRPF
>to match on a default route... but doesn't that defeat the purpose of uRPF?
>
>My best guess is that it allows you to set static routes for networks
>whose source IPs you want to drop (using the null interface) while
>allowing everything else.
>
>e.g.
>
>interface Vlan100
> ip verify unicast source reachable-via any allow-default
>!
>ip route 192.168.0.0 255.255.255.0 null0
>ip route 0.0.0.0 0.0.0.0 x.x.x.x
>
>uRPF would allow Vlan100 to use any source IP address except
>192.168.0.0/24. Is that correct?
>
><http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html>http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html
>
>Thanks!
>
>--
>Devon
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
><https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at
><http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/
Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
More information about the cisco-nsp
mailing list