[nsp] Unicast RPF check on 802.1q subifs (4700, 12.2(13b))?
Tomas Daniska
tomas at tronet.com
Wed Jun 18 09:32:54 EDT 2003
i'd ack for CSCdz01357 - we have had encountered that at one of our customers (though on a c3660, and iirc on a 7500 too?)
the issue seemed more generic than amd fe
try making the vlan explicitly tagged as a workaround :)
--
deejay
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
> Sent: 17. júna 2003 23:13
> To: Gert Doering
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Unicast RPF check on 802.1q subifs (4700,
> 12.2(13b))?
>
>
> Gert,
>
> > Cisco 4700, NP-1FE fast ethernet, 802.1q subinterfaces, 12.2(13b).
> >
> > CEF switching is active.
> >
> > Now I want to enable "ip unicast verify reverse" on one of
> the 802.1q
> > subifs (fa0.211). The router takes the command, and "freezes" -
> > connecting out of band, it tells me that it's dropping all my
> > packets...:
> >
> [...]
> >
> > now the fine point... - the network 195.30.0.* is connected to
> > FastEthernet0.1 (802.1q native interface):
> >
> > interface FastEthernet0.1
> > description link to backbone, 801.2q native VLAN
> > encapsulation dot1Q 1 native
> > ip address 195.30.0.124 255.255.255.0
> >
> > and I'm absolutely sure that those packets are not travelling in via
> > fa0.211 (like "I run a ping on the 195.30.0.124 address and can see
> > CEF-Drop: messages for the corresponding source IP").
> >
> > Unicast RPF *works* on physical interfaces in the same box. IP
> > access-list on 802.1q Subifs do also work, but are much less
> > convenient than unicast RPF.
> >
> > So, the question boils down to:
> >
> > - is unicast RPF broken on 802.1q subinterfaces in general?
>
> no
>
> > - is unicast RPF broken on 802.1q subifs on 12.2(13b)?
>
> well, depends on the driver ..
>
> > - is unicast RPF broken on 802.1q subifs on the 4700?
>
> Yes. It looks to be similar to CSCdu79179 and CSCdz01357, but
> those DDTS
> were filed on different FE drivers.
>
> Can you send me a "show tech" unicast so I can double-check?
>
> oli
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list