Urpf cli reference
set urpf
set urpf [ip4|ip6] [rx|tx] [off|strict|loose] <INTERFACE> [table <table>]
This command configures uRPF on an interface. Two flavours are supported (the default is strict):
loose: accept ingress packet if there is a route to reach the source
- strict: accept ingress packet if it arrived on an interface which
the route to the source uses. i.e. an interface that the source is reachable via.
Example of graph node before range checking is enabled:
show vlib graph ip4-rx-urpf-strict
Name Next Previous
ip4-rx-urpf-strict ip4-drop [0]
Example of how to enable unicast source checking on an interface:
set urpf ip4 rx GigabitEthernet2/0/0 loose
Example of graph node after range checking is enabled:
show vlib graph ip4-rx-urpf-loose
Name Next Previous
ip4-rx-urpf-loose ip4-drop [0] ip4-input-no-checksum
ip4-source-and-port-range- ip4-input
Example of how to display the feature enabled on an interface:
show ip interface features GigabitEthernet2/0/0
IP feature paths configured on GigabitEthernet2/0/0...
ipv4 unicast:
ip4-rx-urpf-loose
ip4-lookup
ipv4 multicast:
ip4-lookup-multicast
ipv4 multicast:
interface-output
ipv6 unicast:
ip6-lookup
ipv6 multicast:
ip6-lookup
ipv6 multicast:
interface-output
Example of how to disable unicast source checking on an interface:
set urpf ip4 off GigabitEthernet2/0/0
Declaration: set_interface_ip_source_check_command src/plugins/urpf/urpf.c line 331
Implementation: urpf_cli_update
set urpf-accept
urpf-accept [table <table-id>] [add|del] <PREFIX>
Add an exemption for a prefix to pass the Unicast Reverse Path
Forwarding (uRPF) loose check. This is for testing purposes only.
If the table is not enter it is defaulted to 0. Default
is to add. VPP always performs a loose uRPF check for
for-us traffic.
Example of how to add a uRPF exception to a FIB table to pass the loose RPF tests:
set urpf-accept table 7 10.0.0.0/8 add
Declaration: urpf_accept_command src/plugins/urpf/urpf.c line 407
Implementation: urpf_cli_accept