Latest

Home / Datacenter / NSX-T / VMware / Unicast Reverse Path Forwarding (uRPF) in VMware NSX-T

Unicast Reverse Path Forwarding (uRPF) in VMware NSX-T

April 23, 2021 , ,

Unicast Reverse Path Forwarding (uRPF) in VMware NSX-T

Let's discuss how Unicast Reverse Path Forwarding in VMware NSX-T works. Unicast Reverse Path Forwarding (uRPF) prevents IP packets from being passed to your router with forged source IP addresses.

Based on the IP header field that contains the destination IP address, a router forwards packets. In general, packets are not forwarded on networks based on the source IP address (unless source-based routing is used).

URPF is generally enabled per interface rather than on a router as a whole. Each packet received on an interface will be examined by a router that has uRPF enabled.

When a packet arrives on an interface, a router that supports uRPF checks the source IP address to identify whether that specific interface can be used for reaching the packet's source.

Fig 1.1- uRPF in VMware NSX-T

This helps to avoid spoofed source IP address attacks in which packets are sent with random source IP addresses. Packets will be rejected if the routing table interfaces are different.

192.168.10.1 is the source IP address of a packet that the core router receives on interface Gi0/2. The core router has uRPF enabled on all interfaces and checks in its routing table whether the packet should be routed through interface Gi0/2. 

The packet is received at 192.168.10.1 as the source IP address. The core router has a longest prefix match with 192.168.10.0/24 via interface Gi0/0. Since the packet is not from the interface Gi0/0, it will be discarded.

From a security perspective, uRPF is always enabled by default in NSX-T on external, internal, and service interfaces. uRPF is also recommended in ECMP architectures. It is possible to disable uRPF in complex architecture where asymmetric routing exists while an anti-spoofing mechanism is implemented on interfaces within the tier and router link. 

For downlink interfaces, the administrator will need to access the Manager UI or Policy API to disable or enable uRPF since NSX-T 3.0 allows the administrator to do so on the Policy UI.