[c-nsp] Loose uRPF behaving like strict mode on 7600

Jose lobo at allstream.net
Wed May 6 19:40:15 EDT 2009 

Well, according to the TAC case I had opened on this, it seems that 
because the SUP32 has its TCAM full and is getting exception errors (it 
has the full internet routing tables), this is likely the culprit to why 
uRPF in loose mode is not behaving as expected.

I guess this is more fuel for the fire to get these gateways upgraded to 
something more robust.

Jose

Jon Lewis wrote:
> On Wed, 29 Apr 2009, Jose wrote:
>
>> I was wondering if someone might have an explanation as to why we 
>> encountered an issue with uRPF (loose mode) when we tried enabling it 
>> on our upstream facing links.  We have 2 x 7603s w/ SUP32 acting as 
>> our Gwy routers and our transit providers connect into them (one on 
>> each gwy + private peers).  We are fed from each of them the entire 
>> internet table along with a default route.
>>
>> Now I know that we are multi-homed and obviously have asymmetrical 
>> routing occurring so I decided to implement loose uRPF on the 
>> interfaces:  ip verify unicast source reachable-via any
>>
>> However shortly after enabling it we got calls that our customers 
>> could not reach parts of the internet.  Specifically destinations 
>> where the packets would travel over the links that had RPF enabled on 
>> them and were our transits.  Traffic to and from our private peers 
>> appeared fine though with RPF.  Pings to our internal CIDRs from 
>> external route-servers would fail as well so long as the path was 
>> over the transits.  Disabling RPF on the interfaces resolved the 
>> problem immediately.
>>
>> From my understanding of this feature, it would seem as if the RPF 
>> check was working in strict mode vs loose mode.  Could there have 
>> been something that we missed?  Should the "allow-default" be used in 
>> this case?  I've never had to use it before when I've implemented 
>> loose mode in other environments.
>>
>> The 7603s are running 12.2(18)SXF11 Advanced IP Services.
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/hybrid/release/notes/ol_4563.html#wp210802 
>
>
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.285 / Virus Database: 270.12.9/2087 - Release Date: 04/29/09 18:03:00
>
>

More information about the cisco-nsp mailing list