Unicast Reverse Path Forwarding (uRPF)

Table 1. Unicast Reverse Path Forwarding product support

Feature

Product

Release introduced

Unicast Reverse Path Forwarding (URPF) checking (IPv4)

5320 Series

Fabric Engine 8.6

5320-48P-8XE and 5320-48T-8XE only

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

Unicast Reverse Path Forwarding (URPF) checking (IPv6)

5320 Series

Fabric Engine 8.6

5320-48P-8XE and 5320-48T-8XE only

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

The Unicast Reverse Path Forwarding (uRPF) feature prevents packet forwarding for incoming unicast IP packets that have incorrect or forged (spoofed) IP addresses. The uRPF feature checks that the traffic received on an interface comes from a valid IP address, thereby preventing address spoofing. On a reverse path check, if the source IP address of the received packet at the interface is not reacheable using the FIB, the system drops the packet as the packet may have originated from a misconfigured or a malicious source.

You can configure uRPF for each IP interface or VLAN. When uRPF is enabled on an interface, the switch checks all routing packets that come through that interface. It ensures that the system displays the source address and source interface in the routing table, and that it matches the interface, on which the packet was received.

You can use one of two modes for uRPF:

uRPF can be enabled independently for IPv4 and IPv6. However, on a given interface, if uRPF is enabled for both IPv4 and IPv6, the urpf-mode can be either strict-mode or loose-mode for both IPv4 and IPv6. That means we cannot have IPv4 urpf-mode configured differently than that of IPv6.

Note

Note

When you enable uRPF mode the MTU values for both IPv4 and IPv6 packets on the same VLAN are matched. Different Layer 3 MTU sizes on the same VLAN are not allowed in uRPF mode.
Note

Note

uRPF check cannot detect spoofed source IP address if the source IP address belongs to a known subnet.