Every time that I get to this subject (spoof protection), I want to apply the STRICT mode of this command (unless asymetric traffic is specifically mentioned).
ip verify unicast source reachable-via RX (strict-mode vs loose-mode ANY)
I am not yet convinced of the value/benefit of using the LOOSE mode for spoof protection.
In the examples that I have seen....
- Our goal is usually to make sure that the internal IP's are not spoofed from outside the network/subnet.
- ....but when we use LOOSE mode (for asymetric reasons), IMO we have opened up the exact hole we are trying to close.
So that leaves me with the exact question every time. What is the value of using this command in LOOSE mode? In this mode, we have not closed the door to the spoofing of internal prefixes -- because the door is re-opened -- for the sake of asymmetric routing.
Maybe there is something that I am still missing, something extra this mode of the command does to still protect against spoofing.
Thanks in advance for clarification on this.