[c-nsp] uRPF inside of a VRF
Justin Shore
justin at justinshore.com
Mon Jan 12 12:54:47 EST 2009
Last night we ran into some trouble with some of our VRFs. When I
examined all interfaces related to the service I noticed significant
numbers of verification drops. uRPF was recently configured on the
interfaces. Does uRPF and VRFs not play nice together?
Here's one of the SVIs with a problem:
interface Vlan2102
description dc-categroup inside firewall
ip vrf forwarding dc-categroup
ip address 172.17.0.2 255.255.255.0
ip verify unicast source reachable-via rx allow-default 150
no ip redirects
no ip unreachables
no ip proxy-arp
standby version 2
standby 2102 ip 172.17.0.1
standby 2102 priority 255
standby 2102 preempt
That SVI is attached to the inside of the FWSM context that serves that
customer. The SVI on the outside of the FWSM context doesn't have any
verification drops and neither does another SVI that's used for client
VPN termination. Access-list 150 was created some time back to
troubleshoot a different issue, a DHCP issue. It's supposed to drop and
log hits.
access-list 150 remark uRPF DENY & LOG-INPUT
access-list 150 permit udp any eq bootpc any eq bootps
access-list 150 deny ip any any log-input
Most drops are not logged however. I'm not sure why other than possibly
that the DFC on the linecard is doing the dropping so the Sup doesn't
know about the packet and therefore can't log it.
Last night it happened on another SVI in an identical scenario (SVI
behind the FWSM). I can't for the life of me figure out why it's
dropping packets or what they are. Any ideas what's causing this, if
uRPF and VRFs don't mix or how I go about seeing what it's dropping
besides legit traffic? The hardware is 6700 series linecards in 7600s
running SRB1. Could I be hitting a bug?
Thanks
Justin
More information about the cisco-nsp
mailing list