FD.io VPP  v21.10.1-2-g0a485f517
Vector Packet Processing
src/plugins/urpf

set urpf

Summary/usage

set urpf [ip4|ip6] [rx|tx] [off|strict|loose] <INTERFACE>.

Description

This command configures uRPF on an interface. Two flavours are supported (the default is strict):

  • loose: accept ingress packet if there is a route to reach the source
  • strict: accept ingress packet if it arrived on an interface which the route to the source uses. i.e. an interface that the source is reachable via.
Example usage

Example of graph node before range checking is enabled:

vpp# show vlib graph ip4-rx-urpf-strict

           Name                      Next                    Previous
ip4-rx-urpf-strict         ip4-drop [0]

Example of how to enable unicast source checking on an interface:

vpp# set urpf ip4 rx GigabitEthernet2/0/0 loose

Example of graph node after range checking is enabled:

vpp# show vlib graph ip4-rx-urpf-loose

           Name                      Next                    Previous
ip4-rx-urpf-loose                ip4-drop [0]           ip4-input-no-checksum
                          ip4-source-and-port-range-         ip4-input

Example of how to display the feature enabed on an interface:

vpp# show ip interface features GigabitEthernet2/0/0

IP feature paths configured on GigabitEthernet2/0/0...

ipv4 unicast:
  ip4-rx-urpf-loose
  ip4-lookup

ipv4 multicast:
  ip4-lookup-multicast

ipv4 multicast:
  interface-output

ipv6 unicast:
  ip6-lookup

ipv6 multicast:
  ip6-lookup

ipv6 multicast:
  interface-output

Example of how to disable unicast source checking on an interface:

vpp# set urpf ip4 off GigabitEthernet2/0/0

Declaration and implementation

Declaration: set_interface_ip_source_check_command (src/plugins/urpf/urpf.c line 233)

Implementation: urpf_cli_update.

set urpf-accept

Summary/usage

urpf-accept [table <table-id>] [add|del] <PREFIX>.

Description

Add an exemption for a prefix to pass the Unicast Reverse Path Forwarding (uRPF) loose check. This is for testing purposes only. If the &#39;<em>table</em>&#39; is not enter it is defaulted to 0. Default is to &#39;<em>add</em>&#39;. VPP always performs a loose uRPF check for for-us traffic.

Example usage
Example of how to add a uRPF exception to a FIB table to pass the loose RPF tests:
vpp# set urpf-accept table 7 10.0.0.0/8 add

Declaration and implementation

Declaration: urpf_accept_command (src/plugins/urpf/urpf.c line 310)

Implementation: urpf_cli_accept.