[c-nsp] loose uRPF on Sup720/3B

Ross Halliday ross.halliday at wtccommunications.ca
Wed Nov 14 11:55:05 EST 2012 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Pete Templin
> Sent: Wednesday, November 14, 2012 10:59 AM
> To: Gert Doering
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] loose uRPF on Sup720/3B
> 
> On 11/14/12 3:45 AM, Gert Doering wrote:
> 
> >   ip verify unicast source reachable-via any allow-default
> 
> > so what is a "suppressed verification drop"?  And, much more important,
> > "will it still do that in hardware", or will loose-uRPF ("via any")
> punti
> > it into the software path for "some packets"?
> 
> Brian gave a decent response, but because I'm drinking my morning coffee
> I feel the urge to add another reply for you (since it'll delay my
> departure for work).  A suppressed verification drop is a packet that
> would have dropped  with 'ip verify unicast source reachable-via
> [any|rx]', but didn't drop because you added options (which can be
> allow-default, allow-self-ping, and/or an ACL to punch some additional
> holes).


I can also verify this, we use a Sup720-3BXL as an edge router (yeah yeah I know best netflow platform ever) and the uRPF stuff is certainly done in hardware. This interface sees a full feed with max traffic of about 450 Mbps, PPS not sure maybe up to 50-80k:

edge-c6509#sh ip int gig 9/9
...
  Input features: Ingress-NetFlow, Access List, uRPF, MCI Check
  Output features: IP Post Routing Processing, Post-Ingress-NetFlow, Egress-Netflow, HW Shortcut Installation
...
  IP verify source reachable-via ANY
   33694339 verification drops
   84102557 suppressed verification drops
   0 verification drop-rate

Loose/Strict mode is actually defined per-interface. It's the exception of matching default route that is global. This isn't a problem technically since you should only have the default route on a handful of interfaces, however if you build up a new interface and supply a uRPF line *without* "allow-default" then it gets removed from all interfaces.

Also, if you do hook that box up to anything like an Internet feed beware the 'debug ip cef drops' command... earlier this year I was rudely reminded that that and BFD run on the same CPU ;)

Cheers
Ross

More information about the cisco-nsp mailing list