Hello All,
Lets knock down this myth that uRPF will not work with asymmetrical routing.
Unicast RPF _does_ work on multihomed customer. People use the excuse of
"asymmetric routing" as a reason for not turning it on for their multihomed
customers or not turning it on at all on their Customer->ISP ingress.
Check out the write up in ISP/IOS Essentials
(http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip). It
documents the configuration trick to have uRPF work with multihomed
customers is to remember that uRFP is a _CEF feature_ not a BGP feature.
That means it is using information from the _FIB_ - not the _RIB_. So what
matters is the information in the FIB and how uRPF validates against it.
The key is to tweak the _BGP Weight_ on the router with the customer's
circuit to prefer the BGP information from that link. BGP Weight only
effects the information going from that single router's RIB into that single
router's FIB.
If, for example, the customer is using the split route technique (break a
/20 into two /21 with each one going out a different link along with the
/20) or RFC1998++ technique (sending the routes up with communities which
the ISP will use to set local-pref), then this technique works well.
Let say the customer has take their /20 and split it in half - advertising a
/21 out each of their multihomed links. Then what you recommend to the
customer is to also advertise the /20 out both links. The provide back-up
for the other /21 in case one of the links goes down.
Now, on each router you apply a BGP Weight to have BGP prefer the routes
learned on that local link and send it from the BGP RIB into the FIB. This
does not effect local pref, community or other values in the network. They
still work through out that network. The difference is that any packet that
happens to get to that router that destined for the /20 will get sent down
that link. It will also set up uRPF to validate "asymmetrical traffic"
coming up that link that is not in the /21 - but is in the /20 - hence
validating.
Unicast RPF does work with multihomed customers with asymmetrical traffic.
You just need to set up you multihoming config to work with Unicast RPF.
Questions? I know there will be questions on this. ;-)
Barry
PS - Yes, I'm in the process or rewriting the section is ISP/IOS Essentials
on uRPF.
-----Original Message-----
From: Vinod Anthony Joseph Cherunni [mailto:vac@antarix.net]
Sent: Friday, February 09, 2001 12:57 AM
To: Andrew
Cc: Eric Chan; Brian; cisco-nsp@puck.nether.net; Jared Mauch
Subject: Re: [nsp] ip spoofing prevention
I agree on the last comment. While using unicast RPF care should be taken
when used on multihomed connections, since incoming traffic from a network
can be recieved on an interface that's not listed as the potential path in
the local AS'es routing table.
Regards,
Vinod.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:28 EDT