No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The S12708 Working in URPF Strict Mode Discards Valid Packets

Publication Date:  2019-03-26 Views:  129 Downloads:  0

Issue Description

1. Networking diagram


OSPF is run between two core switches. The OSPF cost values of the two links between aggregation switch A and core switch A are changed, so that the link on the left carries services and the link on the right acts as the backup.

2. Problem: The IP address of G1/0/1 (default VLANIF 134) on the aggregation switch cannot be pinged on PCA.

Handling Process

Step 1. On the core switch, ping the IP address of G1/0/1 on the aggregation switch. The ping succeeds, indicating that the interfaces on the core and aggregation switches and the intermediate links are normal.

Step 2. Check routes on the aggregation switch. It has a route to the network segment, with the next hop being

Step 3. Check the configuration on the aggregation switch. No forwarding restriction or filtering policy is found.

Step 4. Check the configuration on the core switch. It is found that the URPF strict mode is configured on G1/1/0/1 and XG1/6/0/3.

Root Cause

When PCA pings the IP address ( of G1/0/1 on the aggregation switch, XG1/6/0/3 (with IP address on the core switch directly forwards the ICMP Request packet to G1/0/1 because the two interfaces are directly connected (this route has a higher priority). The ICMP Response packet is sent from G1/0/0 on the aggregation switch to PCA through G1/1/0/1 on the core switch. This is because the link between G1/0/0 and G1/1/0/1 has a lower OSPF cost value than the link between G1/0/1 and XG1/6/0/3. In normal cases, the ping can succeed. However, the URPF strict mode is configured on G1/1/0/1 and XG1/6/0/3 of the core switch. In URPF strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route. Otherwise, the packet is discarded.Since the ICMP packets exchanged between PCA and G1/0/1 (with IP address are transmitted along different paths, the ping fails.


Disable URPF check for the flows transmitted between PCA and G1/0/0 of the aggregation switch.

acl number 3000

rule 5 permit ip source 0 destination 0 0

traffic classifier a

if-match acl 3000

traffic behavior a

ip urpf disable

traffic policy a

classifier a  behavior  a

interface GigabitEthernet1/1/0/1

traffic-policy a inbound