[nsp] ip verify unicast reverse-path confirmation?

Jared Mauch jared at puck.nether.net
Thu Dec 4 21:46:41 EST 2003 

On Thu, Dec 04, 2003 at 04:02:00PM -0500, lee.e.rian at census.gov wrote:
> I think uRPF handling depends on the hardware
> - Sup 1: everything gets forwarded to the MSFC
> - Sup 2: handled in hardware
> 

	Ok.

	Hold the phone here.

	Here's the scoop:

	sup1(a), u-rpf handled in software on the MFSC
	sup2, u-rpf is GLOBAL.  You set strict on one interface,
it sets strict on all interfaces that u-rpf is configured.  This
is quite different from all other cisco platforms.  BEWARE.  I've
seen people innocently break things by setting strict on an
interface and it changes an unrelated interface from loose
to strict.  This was a pain to track down since we were
looking at tacacs logs and couldn't find it.

	I can't remember what the sup3 (720) does off the top of
my head, I seem to recall asking cisco but not recalling the answer
I received.  Use caution.

	- Jared

> ========== original message ====================
> Message: 8
> Date: Thu, 4 Dec 2003 16:58:54 +0100
> From: Nicolas Sayer <Nicolas.Sayer at inria.fr>
> Subject: Re: [nsp] ip verify unicast reverse-path confirmation?
> To: cisco-nsp at puck.nether.net
> Message-ID: <C2C60CF6-2672-11D8-98A2-000A95887BEE at inria.fr>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
> 
> hello all,
> 
> off topic question about "ip verify unicast reverse-path", i had to
> take out of my WAN interface configuration because it was burning out
> the CPU (interupts). Does each packet (from one TCP flow for example)
> HAS to have it's source address checked against the routing table, thus
> sent to the CPU ? couldn't cef take care of stamping the source address
> as : ok
> 
> fyi: i have a 6500 switch enhanced with an msfc1 for routing,
> 
>              cheers, Nick.
> 
> On jeudi, nov 6, 2003, at 20:01 Europe/Paris, Bob Snyder wrote:
> 
> > Is there any command to see the effects of the "ip verify unicast
> > reverse-path" command? Packet drop counters, etc?
> >
> > Bob
> ===============================================
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list