In Ciscoland, you do have to explicitly state that the default route is eligible for URPF verification, otherwise you'll get unexpected traffic drops. ip verify unicast source reachable-via any allow-default And yes, it's main purpose is for implementing source-based remotely-triggered blackhole (SRTBH). On Thu, Sep 30, 2021 at 10:58 AM Hunter Fuller via NANOG <nanog@nanog.org> wrote:
On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka <mark@tinka.africa> wrote:
If you don't plan to run a full BGP table on a device, don't enable uRPF, even loose-mode.
At least in Ciscoland, loose URPF checks will pass if you have a default route. So I do not think it could result in inadvertent blackholing of traffic.
What it does allow is for *deliberate* blackholing for traffic; if you null-route a prefix, you now block incoming traffic from that subnet as well. This can be useful and it is how we are using URPF.
-- Hunter Fuller (they) Router Jockey VBH M-1A +1 256 824 5331
Office of Information Technology The University of Alabama in Huntsville Network Engineering