Unicast Reverse Path Forwarding (uRPF)

Table 1. Unicast Reverse Path Forwarding product support

Feature

Product

Release introduced

For configuration details, see VOSS User Guide.

Unicast Reverse Path Forwarding (URPF) checking (IPv4)

5520 Series

VOSS 8.2.5

VSP 4450 Series

VOSS 5.0

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 5.0

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 5.0

VSP 8400 Series

VOSS 5.0

VSP 8600 Series

VSP 8600 4.5

XA1400 Series

Not Supported

Unicast Reverse Path Forwarding (URPF) checking (IPv6)

5520 Series

VOSS 8.2.5

VSP 4450 Series

VOSS 5.0

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 5.0

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 5.0

VSP 8400 Series

VOSS 5.0

VSP 8600 Series

VSP 8600 4.5

XA1400 Series

Not Supported

The Unicast Reverse Path Forwarding (uRPF) feature prevents packet forwarding for incoming unicast IP packets that have incorrect or forged (spoofed) IP addresses. The uRPF feature checks that the traffic received on an interface comes from a valid IP address, thereby preventing address spoofing. On a reverse path check, if the source IP address of the received packet at the interface is not reacheable using the FIB, the system drops the packet as the packet may have originated from a misconfigured or a malicious source.

You can configure uRPF for each IP interface or VLAN. When uRPF is enabled on an interface, the switch checks all routing packets that come through that interface. It ensures that the source address and source interface appear in the routing table, and that it matches the interface, on which the packet was received.

You can use one of two modes for uRPF:

uRPF can be enabled independently for IPv4 and IPv6. However, on a given interface, if uRPF is enabled for both IPv4 and IPv6, the urpf-mode can be either strict-mode or loose-mode for both IPv4 and IPv6. That means we cannot have IPv4 urpf-mode configured differently than that of IPv6.

Note

Note

When you enable uRPF mode the MTU values for both IPv4 and IPv6 packets on the same VLAN are matched. Different Layer 3 MTU sizes on the same VLAN are not allowed in uRPF mode.
Note

Note

uRPF check cannot detect spoofed source IP address if the source IP address belongs to a known subnet.