[nsp] ip verify unicast reverse-path confirmation?
Robert A. Hayden
rhayden at geek.net
Fri Dec 5 14:49:38 EST 2003
Actually, that "print a warning" half-way resolution came from me (or at
least I submitted a ticket that asked for this). I got tripped up by this
a couple months ago since the change is being made at the interface level
but is being global on the switch. Obviously, this violates CLI logic and
I opened up a case per that.
It's good to see it's out there now. It makes me feel a little bit like
Company C listens from time to time, which is good :-)
On Fri, 5 Dec 2003, Tim Stevenson wrote:
> Comments inline:
>
> At 06:59 PM 12/4/2003, cisco-nsp-request at puck.nether.net remarked:
> >Message: 11
> >Date: Thu, 4 Dec 2003 21:46:41 -0500
> >From: Jared Mauch <jared at puck.nether.net>
> >Subject: Re: [nsp] ip verify unicast reverse-path confirmation?
> >To: lee.e.rian at census.gov
> >Cc: cisco-nsp at puck.nether.net
> >Message-ID: <20031205024641.GN45524 at puck.nether.net>
> >Content-Type: text/plain; charset=us-ascii
> >
> >On Thu, Dec 04, 2003 at 04:02:00PM -0500, lee.e.rian at census.gov wrote:
> >> I think uRPF handling depends on the hardware
> >> - Sup 1: everything gets forwarded to the MSFC
> >> - Sup 2: handled in hardware
> >>
> >
> > Ok.
> >
> > Hold the phone here.
> >
> > Here's the scoop:
> >
> > sup1(a), u-rpf handled in software on the MFSC
>
> Right.
>
> > sup2, u-rpf is GLOBAL. You set strict on one interface,
> >it sets strict on all interfaces that u-rpf is configured. This
> >is quite different from all other cisco platforms. BEWARE. I've
> >seen people innocently break things by setting strict on an
> >interface and it changes an unrelated interface from loose
> >to strict. This was a pain to track down since we were
> >looking at tacacs logs and couldn't find it.
>
> That is correct. Basically, there is a "global hardware mode" - any uRPF check enabled interfaces use that mode. If you set the mode on interface A (say, strict mode) and then set a different mode (say loose) on interface B, both interface A & B will be running loose mode. There is a DDTS on this, in R state: CSCec39733.
>
> However, the current release note (12/5) on cisco.com is misleading, coupled with the R state. The resolution is just to print a warning. I updated the RN to say:
>
> ***
> Entering a new uRPF mode on an interface changes the ip verify statement on
> global basis (all interfaces with uRPF check enabled are changed to the new
> mode).
>
> This is expected behavior for this platform.
>
> The resolution for this DDTS is to print a warning message at the CLI prompt
> when the global mode is changed:
>
> "Changing uRPF check mode on all uRPF interfaces to this mode."
> ***
>
> > I can't remember what the sup3 (720) does off the top of
> >my head, I seem to recall asking cisco but not recalling the answer
> >I received. Use caution.
>
>
> Sup720 does the same thing. The main difference between sup2 & sup720 is that sup2 can only do uRPF in hardware for a single reverse path interface per prefix. So if you have load sharing paths back to a prefix, only one of the LS interfaces gets uRPF check in hardware; the other gets it in software.
>
> On sup720, we can do up to 6 LS paths in hardware - 2 by default for all prefixes and up to 4 additional interfaces with some additional config.
>
> Hope that clarifies.
>
> Tim
>
>
> > - Jared
>
>
> Tim Stevenson, tstevens at cisco.com
> Routing & Switching CCIE #5561
> Technical Marketing Engineer, Catalyst 6500
> Cisco Systems, http://www.cisco.com
> IP Phone: 408-526-6759
> ********************************************************
> The contents of this message may be *Cisco Confidential*
> and are intended for the specified recipients only.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list