[c-nsp] asr9k dhcp relay + ipv4 verify unicast

Saku Ytti saku at ytti.fi
Mon May 23 10:45:16 EDT 2016 

Hey Florian,

Technically it is uRPF violation, you're getting packet from SADDR
0.0.0.0, which is clearly not routed to the interface. JunOS has this
same behaviour and you need to create exception ACL for uRPF to fix
it, I think it's fine, leveraging existing configuration infra,
without introducing new hacks in the code, which invariably will cause
bugs.

However I don't think IOS-XR has this exception ACL support for uRPF.
What you're seeing may be a bug, quick search for DDTS gave me this
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu01825

I'm curious how '633892863' was solved. Perhaps 'not supported, use
ACL instead of uRPF'.

On 23 May 2016 at 17:36, Florian Lohoff <f at zz.de> wrote:
>
> Hi,
> today i had to debug an ASR9001 setup with DHCP Relay and an
> ipv4 verify unicast source reachable-via rx allow-self-ping on
> an BVI interface. The clients failed to get leases - I saw
> DISCOVERS on the server side and the server sent out
> OFFERS. I could not determine whether the OFFER fails
> to reach the client or the REQUEST would not reach the server.
>
>         [ ... ]
>
>         dhcp ipv4
>          profile relayprofile relay
>           helper-address vrf default 10.7.8.9
>           giaddr policy replace
>          !
>          interface BVI108 relay profile relayprofile
>          interface BVI60004 relay profile relayprofile
>
>         [ ... ]
>
>         interface BVI60004
>          ipv4 address 10.4.5.1 255.255.255.0
>          ipv4 verify unicast source reachable-via rx allow-self-ping
>
> Removing the ipv4 verify unicast ... solved the issue which
> left me a little puzzled. My google foo turned up nothing
> concerning incompatibilities ...
>
> From my understanding the verify unicast is a pure input packet
> validation. The whole DHCP handshake would not create packets
> stemming from an invalid IP address on the L2 Bridge e.g.
> the BVI interface so i have no clue where and why the packet
> would be dropped.
>
> Flo
> --
> Florian Lohoff                                                 f at zz.de
>              UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIVAwUBV0MVX5DdQSDLCfIvAQpzQA/7BROfXOU0dUeQ+yK4uykgGrvImlw1FDbx
> sSW6zZJZqVN1bY0yy37onD6bT2ZDOOYWOy7Oann0UQ+UfXP6y6/LpW0FYt4S2eTf
> rCi2psYzjwzYhpyfIfuFGW3Z5G+9z3JNhyICVdLOdLv6jeVpoGxBPMRKUYLrBoJ0
> XB7vpQ63gX8VpNutniBOGnUuYW9QY3+N+d2zcjReIRxEMtonakijY7feINMiK8fB
> s9/Cx1Sdx1B2VbX+fPryUSp+tcjyaqX2jK9dNSHGFIo60P2I/xlFa+Z+mvjTwWa3
> ZyIr4UiJtWLoHi6uM5j9Iuzpk0Rds+YnFBeE1IMlRhMSfl7DmybW60Xj2rEy/Vjb
> aOGawABD88nuTQy1YtgrS02U37hSr0Gt+7M/9A0patAw1mQFLHdb4Sjqu5UFvnZu
> 1ACeu7sudtu/EZJZteIwenoTsSCyDLnWc3WV9i62U4iNfNQqhWdKIheODC45sFrz
> rws09VQunka7wyVVjJ3CcSw0WewWUrGEKRZfJqpaPagKBFWaMGCGipINlgvnV352
> aOTLbG//Dm0biLHdlylErOi00TnCYS0OEIojxKq5d0tEbop6qTRfKnt6DL2smyBb
> 28B34wHf2tYGrsMRGpo1N/VNTT7/vYqQoc0yOzV7NzncOQT2O0D0WoT/AYb8zauK
> uKaILzAU6cU=
> =xpfI
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 
  ++ytti

More information about the cisco-nsp mailing list