On 9/30/21 17:56, Hunter Fuller wrote:
On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka <mark@tinka.africa> wrote:
If you don't plan to run a full BGP table on a device, don't enable uRPF, even loose-mode. At least in Ciscoland, loose URPF checks will pass if you have a default route. So I do not think it could result in inadvertent blackholing of traffic.
What it does allow is for *deliberate* blackholing for traffic; if you null-route a prefix, you now block incoming traffic from that subnet as well. This can be useful and it is how we are using URPF.
Agreed. I should have said "If you don't plan to run a full BGP table on a device without a default a route as well, don't enable uRPF, even loose-mode". Principally, we don't run default on any of our service routers. Technically, we point default to the bin on all our service routers, as that's the fastest way for the router to handle illegal traffic it "could" receive. Mark.