Solved: Re: ip verify unicast source reachable-via rx allow-default on cisco Nexus N9k

Ramasamy Chandrasekar · ‎06-05-2020

HI Experts,

Need your advise on enabling this service in nexus N9k switches running NXOS: version 7.0(3)I7(1). Need to apply this command set in our SVI, But i couldn't find the command set available. Please advise whether any other way to enable this service under SVI.

Thnaks

Ramsy

Sergiu.Daniluk · ‎06-07-2020

Hi @Ramasamy Chandrasekar

Sorry about my poor explanation. I was trying to say that it might be possible that "ip verify unicast source" command to be available only on L3 physical ports. SVI is not a port (physical interface), but is indeed a L3 interface. Skipping the nomenclature, my motivation for this statement was that in the config guide there was nothing mentioned about SVIs.

However, I was wrong. I managed to check in my lab, on a N9K-C93180YC-FX, running 9.2.2 and the command is allowed on SVI as well.

N9K(config-if)# sh run int vlan 101

interface Vlan101
  no shutdown
  ip verify unicast source reachable-via rx

N9K(config-if)# sh run int e1/1

interface Ethernet1/1
  description myTestIf
  ip address 10.0.0.1/30
  ip verify unicast source reachable-via rx

It might be worth upgrading to 9.x and check again.

Hope it helps.

Sergiu

View solution in original post

Sergiu.Daniluk · ‎06-05-2020

Hi @Ramasamy Chandrasekar

If I am not mistaking, this is not a command available for SVI. It only works on L3 ports.

Regards,

Sergiu

Ramasamy Chandrasekar · ‎06-07-2020

Hi @Sergiu.Daniluk

Thanks for the reply.

The SVI is L3 interface. say example when a catalyst switch accepts such command set and the same SVI is not supporting on the Nexus N9K. I have attached the screenshots for your reference.

Sergiu.Daniluk · ‎06-07-2020

Hi @Ramasamy Chandrasekar

Sorry about my poor explanation. I was trying to say that it might be possible that "ip verify unicast source" command to be available only on L3 physical ports. SVI is not a port (physical interface), but is indeed a L3 interface. Skipping the nomenclature, my motivation for this statement was that in the config guide there was nothing mentioned about SVIs.

However, I was wrong. I managed to check in my lab, on a N9K-C93180YC-FX, running 9.2.2 and the command is allowed on SVI as well.

N9K(config-if)# sh run int vlan 101

interface Vlan101
  no shutdown
  ip verify unicast source reachable-via rx

N9K(config-if)# sh run int e1/1

interface Ethernet1/1
  description myTestIf
  ip address 10.0.0.1/30
  ip verify unicast source reachable-via rx

It might be worth upgrading to 9.x and check again.

Hope it helps.

Sergiu

Ramasamy Chandrasekar · ‎06-07-2020

Thank you @Sergiu.Daniluk and @paul driver

we will propose the upgrade to the management.

Thanks

Ramsy

paul driver · ‎06-07-2020

Hello
FYI - Both loose and strict URPF modes should be applicable to physical, sub-interfaces, SVI's and L3 port channels, Although strict mode isn't applicable to host addresses (/32).

Once applied check the interface to see it is enabled
sh ip interface vlan xx | in IP

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul