In Ciscoland, you do have to explicitly state that the default route is eligible for URPF verification, otherwise you'll get unexpected traffic drops.
ip verify unicast source reachable-via any allow-default And yes, it's main purpose is for implementing source-based remotely-triggered blackhole (SRTBH). On Thu, Sep 30, 2021 at 10:58 AM Hunter Fuller via NANOG <nanog@nanog.org> wrote: > On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka <mark@tinka.africa> wrote: > > If you don't plan to run a full BGP table on a device, don't enable > uRPF, even loose-mode. > > At least in Ciscoland, loose URPF checks will pass if you have a > default route. So I do not think it could result in inadvertent > blackholing of traffic. > > What it does allow is for *deliberate* blackholing for traffic; if you > null-route a prefix, you now block incoming traffic from that subnet > as well. This can be useful and it is how we are using URPF. > > > -- > Hunter Fuller (they) > Router Jockey > VBH M-1A > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering >
