[nsp] Unicast RPF check on 802.1q subifs (4700, 12.2(13b))?
Gert Doering
gert at greenie.muc.de
Tue Jun 17 11:38:05 EDT 2003
Hi,
surprise, surprise...
Cisco 4700, NP-1FE fast ethernet, 802.1q subinterfaces, 12.2(13b).
CEF switching is active.
Now I want to enable "ip unicast verify reverse" on one of the 802.1q
subifs (fa0.211). The router takes the command, and "freezes" - connecting
out of band, it tells me that it's dropping all my packets...:
CEF-Drop: Packet from 195.30.0.91 via FastEthernet0.211 -- unicast rpf check
CEF-Drop: Packet from 195.30.0.120 via FastEthernet0.211 -- unicast rpf check
CEF-Drop: Packet from 195.30.0.123 via FastEthernet0.211 -- unicast rpf check
CEF-Drop: Packet from 195.30.0.126 via FastEthernet0.211 -- unicast rpf check
now the fine point... - the network 195.30.0.* is connected to
FastEthernet0.1 (802.1q native interface):
interface FastEthernet0.1
description link to backbone, 801.2q native VLAN
encapsulation dot1Q 1 native
ip address 195.30.0.124 255.255.255.0
and I'm absolutely sure that those packets are not travelling in via
fa0.211 (like "I run a ping on the 195.30.0.124 address and can see
CEF-Drop: messages for the corresponding source IP").
Unicast RPF *works* on physical interfaces in the same box. IP
access-list on 802.1q Subifs do also work, but are much less convenient
than unicast RPF.
So, the question boils down to:
- is unicast RPF broken on 802.1q subinterfaces in general?
- is unicast RPF broken on 802.1q subifs on 12.2(13b)?
- is unicast RPF broken on 802.1q subifs on the 4700?
Please share your experiences.
(I have no other router with an 802.1q trunk and IPv4 on that, so I can't
easily test that - uRPF works fine on Cat5k RSM/RSFC vlan interfaces, but
those are a completely different story anyway)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the cisco-nsp
mailing list