[nsp] RPF on Catalyst 6k

Francois Baligant francois at ops.be.wanadoo.com
Tue Jan 7 15:59:14 EST 2003 

	Take care.

	From my experience with a c6k with SUP2/MSFC2 in hybrid mode
	and trying to run uRPF since the early 6.3 release, the 
	implementation is not stable enough and can go wild in very
	creative and difficult to detect way. Examples are:

	- packet being dropped for no apparent reasons
	- packet that should have been dropped, no dropped
	- drops appearing gradualy and only getting noticeable 2 days
	later.
	- MLS table getting desynched or corrupted (a one time effect
	was a loop being created on a POS interface)

	It might be because we are using OSM and SFM modules.
	Or maybe not.
	
	Cisco has been helpfull with this, always trying to
	debug problems with they arise but still. We are now
	running 7.4(2) on Sup and still had to disable uRPF once
	again 'cause of side effects.

	Good luck,
	Francois
-- 
Francois Baligant                Lozenberg 22 - B-1932 Zaventem 
Wanadoo Belgium NV/SA    francois@be.wanadoo.com 
Network Operation Center    tel: +32 2 717 17 17 
FB1-6BONE FB3122-RIPE  fax: +32 2 717 17 77 

On Fri, 27 Dec 2002, Rubens Kuhl Jr. wrote:

> 
> | In our case, we filter to prevent packets carrying one of "our" IP
> | addresses from entering our local network.  We suffer from slight
> | fragmentation of our address space, so the appropriate "deny" entries
> | would occupy quite a bit of TCAM (in which the inbound ACL facing the
> | Internet already occupies a sizable chunk).
> 
> Try varying IOS version; newer versions usually compile ACLs better, but
> sometimes they do a big mess.. also, try enabling odm algorithm, which seems
> to have better corner case handling.
> 
> | | I whish we were already approaching the edge in terms of spoof
> | protection, but there's still a *very* long way to go.  (I'm already
> | happy if there's a L3 device at the edge.  Typical university network
> | problem, I guess.)
> 
> Spoof protection belongs to L7-land, is stateful in its nature (even more
> than SLB, which can be done in a stateless fashion). But if the stateless
> (regarding to individual conections) router can be of any assistance, it is
> a good thing.
> 
> 
> Rubens Kuhl Jr.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list