Firewall URPF process

The URPF process is as follows:

1. If the source address of a packet is in the FIB table of a router:

?For the strict check, search for the packet outbound interface reversely. If there is only one outbound interface matching the packet inbound interface, the packet passes the check. Otherwise, the packet is denied. If there are multiple outbound interfaces matching the packet inbound interface, the loose check is required. (Reverse search means the search for the outbound interface of the packet whose destination IP address is the source IP address of the original packet.)
?In loose mode, if the source IP address of the packet exists in the FIB table of the router and the route is not a black-hole one (regardless of consistency between the reversely searched outbound interface and the inbound interface of the packet), the packet passes the URPF check; otherwise, the packet is denied.
2. If the source address of the packet is not in the FIB table of the router, check the default route and the URPF allow-default-route parameter.

?If the default route is configured but the allow-default-route parameter is not configured:

If the source IP address of the packet is not in the FIB table of the router, the packet is denied regardless of whether the URPF check is in strict or loose mode.

?If both the default route and the allow-default-route parameter are configured:

■In strict mode, if the default route outbound interface and the packet inbound interface are consistent, the packet passes the URPF check and is forwarded. If the default route outbound interface and the packet inbound interface are inconsistent, the packet is denied.
■In loose mode, packets can be forwarded after passing the URPF check.
3. The ACL is matched only after the packet is denied. If the ACL permits the packet, the packet is forwarded. If the ACL denies the packet, the packet is discarded.

Scroll to top