Implementing URPF

This section describes the implementation of URPF.

Understanding uRPF

Table 1. Feature History Table
Feature Name	Release Information	Description
URPF source validation using VRF table	Release 26.2.1	Introduced in this release on: Fixed Systems (8200 [ASIC: Q200]) Modular Systems (8000 [ASIC: Q200])(select variants only) This feature provides secure traffic validation by supporting high prefix scales and high-speed updates that exceed the capabilities of standard Access Control Lists. It implements a new loose mode Unicast Reverse Path Forwarding (URPF) by using a dedicated URPF Virtual Routing and Forwarding (VRF) table for source lookups. This process enables efficient source validation within existing platform routing limits. This feature introduces these changes: CLI: The vrf RED urpf-lookup-ipv4 and vrf RED urpf-lookup-ipv6 keywords are introduced in the vrf `vrf-name` command. This feature is supported on: Cisco 8202-32FH-M 88-LC0-36FH 88-LC0-36FH-M
uRPF in Loose Mode	Release 25.4.1	Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100])(select variants only) This feature is supported on: 8711-48Z-M 8011-32Y8L2H2FH 8011-12G12X4Y-A/D
uRPF in Loose Mode	Release 25.1.1	Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100])(select variants only) This feature is supported on: 8712-MOD-M 8011-4G24Y4H-I
uRPF in Loose Mode	Release 24.4.1	Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only) *This feature is supported on: 8212-48FH-M 8711-32FH-M 88-LC1-36EH 88-LC1-12TH24FH-E 88-LC1-52Y8H-EM
uRPF in Loose Mode	Release 7.3.15	When the source IP address of an incoming packet is not present in the Forwarding Information Base (FIB), the router considers it as an invalid packet and drops it. Use the allow-default keyword of ipv4/ipv6 verify unicast source reachable-via command and configure the default route for the interface so that the router does not drop a packet even when the source IP address is not present in the FIB. The command ipv4/ipv6 verify unicast source reachable-via is introduced.

It has become commonplace practice for hackers planning a Denial of Service (DoS) attack to use forged IP addresses (the practice is known as IP address spoofing). Hackers constantly change the source IP address to avoid detection by service providers. DoS uses more than one forged IP address from thousands of hosts that are infected with malware to flood a device. Therefore, it is complicated to identify and defeat the malware attack.

The uRPF is a mechanism for validating the source IP address of packets that are received on a router. A router that is configured with uRPF performs a reverse path lookup in the FIB table to validate the presence of the source IP address. If the FIB table lists the source IP address, then it indicates that the source is reachable and valid. If the FIB table does not list the source IP address, the router treats the packet as malicious and drops it.

The router supports uRPF in two modes:

uRPF in Loose Mode: In uRPF loose mode, the router checks if it has a matching entry for the source IP address in the FIB and does not drop the legitimate regardless of interfaces the source address is learned on
uRPF in Strict Mode: In uRPF strict mode, the router check if the interface receiving traffic packets is the same as the interface to reach the incoming packet's source address, the router considers such traffic packets legitimate and processes them. If not, the router drops it. The router supports uRPF in Strict Mode since IOS XR Release 7.9.1

Configuring uRPF in Loose Mode

When you configure uRPF in loose mode, the router checks if it has a matching entry for the source IP address in the FIB and does not drop the legitimate traffic that uses an alternate interface to reach the router. The uRPF in loose mode is useful in multihomed, service provider, edge networks.

Configuration

Use the following configuration to configure uRPF in loose mode on the router.

Note

You can configure uRPF in loose mode on router interfaces, subinterfaces, bundle interfaces, and bundle subinterfaces
Configure both IPv4 and IPv6 commands (as described in this section) for uRPF to work.

Router(config)# interface HundredGigE 0/2/0/2
Router(config-if)# ipv4 verify unicast source reachable-via any
Router(config-if)# ipv6 verify unicast source reachable-via any
Router(config-if)# commit

In the following figure, in router R1, the FIB table lists HundredGigE0/2/0/3 as the egress interface for the network 203.0.113.0/24. The ingress interface is HundredGigE 0/2/0/2. R1 receives packets with source IP address as 203.1.113.1 from both the interfaces, HundredGigE0/2/0/2 and HundredGigE0/2/0/3. When you configure uRPF in loose mode on the ingress interface, the router checks if the source address has a matching entry in the FIB table. The router does not drop the packet even if the ingress interface is not listed in the FIB tableas the outgoing interface for that prefix.

Running Configuration

To verify that the number of packets dropped due to uRPF configuration, you can use the show cef drops :

Router(config-if)# show cef drops
Node: 0/0/CPU0
  Unresolved drops     packets :               0
  Unsupported drops    packets :               0
  Null0 drops          packets :               0
  No route drops       packets :               2
  No Adjacency drops   packets :               0
  Checksum error drops packets :               0
  RPF drops            packets :               1911
  RPF suppressed drops packets :               0
  RP destined drops    packets :               0
  Discard drops        packets :               0
  GRE lookup drops     packets :               0
  GRE processing drops packets :               0
  LISP punt drops      packets :               0
  LISP encap err drops packets :               0
  LISP decap err drops packets :               0
Node: 0/RP0/CPU0
  Unresolved drops     packets :               0
  Unsupported drops    packets :               0
  Null0 drops          packets :               0
  No route drops       packets :               2
  No Adjacency drops   packets :               0
  Checksum error drops packets :               0
  RPF drops            packets :               1503

You have successfully configured uRPF in loose mode on the router.

Configuring Default Route for uRPF in Loose Mode

When you configure uRPF in loose mode, the source address of the packet must appear in the FIB for the verification process. However, you can use the allow-default option to use the default route in the source IP address verification process.

When you do not configure the allow-default option, the router drops the packet that does not have its source address listed in the FIB table.
When you configure the allow-default option, you must configure the default route for the interface. Otherwise, the router drops the packet.
When you configure uRPF in loose mode with allow-default on any VRF interface, then it is applicable to all the interfaces in that VRF of the router.

Use the following configuration to configure uRPF in loose mode on the router along with the default address.

Router(config)# interface HundredGigE 0/2/0/2
Router(config-if)# ipv4 verify unicast source reachable-via any allow-default
Router(config-if)# ipv6 verify unicast source reachable-via any allow-default
Router(config-if)# commit

Configuring uRPF in Strict Mode

Table 2. Feature History Table
Feature Name	Release Information	Feature Description
uRPF in Strict Mode	Release 25.4.1	Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only) This feature is supported on: 8011-32Y8L2H2FH 8011-12G12X4Y-A/D
uRPF in Strict Mode	Release 25.1.1	Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100])(select variants only) This feature is supported on: 8712-MOD-M 8011-4G24Y4H-I
uRPF in Strict Mode	Release 24.4.1	Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only) *This feature is supported on: 8212-48FH-M 8711-32FH-M 88-LC1-36EH 88-LC1-12TH24FH-E 88-LC1-52Y8H-EM
uRPF in Strict Mode	Release 7.9.1	You can protect the router against DoS attacks with spoofed source IP addresses by enabling the Strict mode in uRPF. When this feature is enabled, the router accepts the incoming packet only if the source IP address of the packet is present in its routing table and if the source IP address of the input packet is reachable via the interface on which the packet has been received. If not, the router drops the packet.In earlier releases IOS XR supports only loose mode uRPF. This feature introduces the hw-module profile cef unipath-surpf command. This feature modifies the ipv4/ipv6 verify unicast source reachable-via command.

When you enable uRPF in strict mode, the router checks for the source address of the packet in the Forwarding Information Base (FIB). If the router receives the incoming packet on the same interface that the router would use to forward the traffic to the source of the packet, the packet passes the check and is further processed; otherwise, it is dropped. uRPF in strict mode should only be applied where there’s natural or configured symmetry. Because internal interfaces are likely to have routing asymmetry. That is, multiple routes to the source of a packet, uRPF in strict mode shouldn’t be implemented on interfaces that are internal to the network.

Usage Guidelines

You can configure uRPF in strict mode on router interfaces, subinterfaces, bundle interfaces, and bundle subinterfaces.
The tunnel and BVI interfaces don’t support uRPF strict mode.
Configure both IPv4 and IPv6 traffic types for uRPF to work.
uRPF Strict mode is disabled in the router, by default.
The uRPF in strict mode supports the allow default option. When the allow default option is enabled with the uRPFin strict mode, the packet is processed further only if it arrived through the default routes.

Prerequisites

Configure both IPv4 and IPv6 traffic types for uRPF to work.

Configuration

Use the following configuration to configure uRPF in strict mode on the router:

Router(config)# hw-module profile cef unipath-surpf enable
Router(config)# interface HundredGigE 0/2/0/2
Router(config-if)# ipv4 address 10.0.0.1 255.255.255.0
Router(config-if)# ipv4 verify unicast source reachable-via rx
Router(config-if)# ipv6 address 2001::1/64
Router(config-if)# ipv6 verify unicast source reachable-via rx
Router(config-if)# commit
Router(config-if)# exit
Router(config)# reload

Note

You must reload the router after executing the hw-module profile cef unipath-surpf command.

In the following figure, in router R1, the FIB table lists HundredGigE0/2/0/3 as the egress interface for the network 203.0.113.0/24. R1 receives packets with source IP address as 203.1.113.1 from two different interfaces, HundredGigE0/2/0/2 and HundredGigE0/2/0/3. R1 accepts the packet coming from HundredGigE0/2/0/3 as the route to reach the source is 203.1.113.1 according to the FIB table. But the incoming packet via HundredGigE0/2/0/2 is dropped as the entries in the FIB table doesn’t specifies HundredGigE0/2/0/2 as the interface to reach 203.1.113.1.

Note

In the above example, the hw-module profile cef unipath-surpf configuration ensures the router R1 drops incoming packets via HundredGigE0/2/0/2, as according to the FIB table, the only interface to reach 203.0.113.0/24 is HundredGigE0/2/0/3. If there are multiple egress interfaces in router R1 for the 203.0.113.0/24 network, they will ensure to check all of these entries before dropping the packet.

Running Configuration

Confirm your configuration as shown:

Router(config-if)# show running-config
...
!
interface HundredGigE 0/2/0/2
 ipv4 address 10.0.0.1 255.255.255.0
 ipv4 verify unicast source reachable-via rx
ipv6 address 2001::1/64
 ipv6 verify unicast source reachable-via rx
!

Running Configuration

To verify that the number of packets dropped due to uRPF configuration, you can use the show cef drops :

Router(config-if)# show cef drops
Node: 0/0/CPU0
  Unresolved drops     packets :               0
  Unsupported drops    packets :               0
  Null0 drops          packets :               0
  No route drops       packets :               2
  No Adjacency drops   packets :               0
  Checksum error drops packets :               0
  RPF drops            packets :               1911
  RPF suppressed drops packets :               0
  RP destined drops    packets :               0
  Discard drops        packets :               0
  GRE lookup drops     packets :               0
  GRE processing drops packets :               0
  LISP punt drops      packets :               0
  LISP encap err drops packets :               0
  LISP decap err drops packets :               0
Node: 0/RP0/CPU0
  Unresolved drops     packets :               0
  Unsupported drops    packets :               0
  Null0 drops          packets :               0
  No route drops       packets :               2
  No Adjacency drops   packets :               0
  Checksum error drops packets :               0
  RPF drops            packets :               1503

URPF VRF source address validations

A Unicast Reverse Path Forwarding (URPF) Virtual Routing and Forwarding (VRF) source address validation is a source verification feature that

performs URPF source address lookups against a user-selected VRF table rather than the interface's own VRF
enables scalable and flexible network architectures by centralizing permitted source prefixes in one VRF, and
supports secure, automated source validation for large, dynamic environments across both IPv4 and IPv6 address families.

Benefits of URPF VRF source address validation

These are the benefits of URPF VRF source address validation:

Scalable to hundreds of thousands of source prefixes and massive ECMP environments.
Reduced need for complex per-interface ACLs and lower TCAM consumption.
Easier management of prefix lists and source policies in large tenant environments.

Configuration guidelines for URPF source address validation using VRF table

These configuration guidelines apply for URPF source address validation using VRF table:

Supported on these Cisco 8000 Series routers and line cards that use Cisco Silicon One Q200 ASIC-based systems:
- Cisco 8202-32FH-M
- 88-LC0-36FH
- 88-LC0-36FH-M
The router uses standard Border Gateway Protocol (BGP) Route Policy Language (RPL) to leak routes into the URPF VRF.
The router performs the source lookup in the URPF VRF only if the interface has URPF enabled.
Use a dedicated VRF for URPF validation and ensure only one uRPF VRF is configured on the system to prevent disruptions and comply with platform limitations.
Enable both IPv4 and IPv6 URPF in the VRF, as enabling only one address family is not supported. Always enable URPF on interfaces facing untrusted or external sources and verify configuration with operational commands, such as show rsi vrf vrf_name .

Restrictions for URPF source address validation using VRF table

These restrictions apply for URPF source address validation using VRF table:

The router supports only one VRF for uRPF private lookups.
Openconfig models for uRPF configuration and counters are not supported.
The router does not provide drop counters at the interface level.
All connected interface IP addresses must be imported into the uRPF VRF.
Protocols like BGP running on URPF-enabled connected interfaces fail if the IP addresses are not present in the URPF VRF.
The router rejects configurations that enable URPF for only one address family.

How URPF source address validation using VRF tables works

Summary

The key components involved in the process are:

User: Configures the uRPF VRF, manages route imports, and enables uRPF on interfaces.
Router: Performs packet source validation against the specified uRPF VRF and enforces resulting forwarding or drops.
RSI Master: Is a process on the Route Processor that manages all VRF configurations
RSI Agent: Is a process on all nodes that receives these updates to notify local system clients.

Workflow

These stages describe how URPF source address validation using VRF tables works.

During this process, the router examines the source address of each incoming unicast packet against the routing information in the dedicated URPF VRF. Packets are forwarded only if a matching source route is present in URPF VRF. Correct operation requires appropriate VRF selection, route leakage, and URPF enablement per interface to ensure both security and reachability for legitimate sources.

RSI Master processes the VRF configuration and assigns a table identifier.
RSI Master sends the VRF information and a specific flag to the RSI Agent.
The RSI Agent notifies the FIB Platform Independent (PI) layer about the presence of the URPF lookup.
The FIB PI layer updates the platform hardware to perform the lookup in the designated URPF VRF.
Standard BGP policies populate the URPF VRF with the necessary routes.

Result

URPF source address validation using VRF tables enables dynamic, scalable, and flexible filtering of source addresses for unicast traffic, improving security and control on the routers.

Configure URPF source address validation using VRF table

Before you begin

Follow these steps to configure the URPF lookup on a specific VRF, follow these steps:

Procedure

Step 1	Enter global configuration mode. Example: `Router# configure`
Step 2	Enter the configuration submode for the desired VRF. Example: `Router(config)# vrf RED`
Step 3	Enable the IPv4 and IPv6 URPF lookup flags. Example: `Router(config-vrf)# urpf-lookup-ipv4 Router(config-vrf)# urpf-lookup-ipv6`
Step 4	Commit the configuration. Example: `Router(config-vrf)# commit`
Step 5	Verify the configuration using the following show commands. Example: `Router# show rsi vrf all Router# show rsi vrf RED`

System Security Configuration Guide for Cisco 8000 Series Routers, IOS XR Release 26.1.x, 26.2.x

Bias-Free Language

Book Title