[c-nsp] unicast rpf dhcp drops after routing adjustment

[Tim Durack]

Have just run into a nasty DHCP/HSRP/RPF failure corner case:

Data center switch redundantly connected to two routers, HSRP providing
gateway.
Two routers share single link back to two core routers. DHCP server located
off-site, routers performing DHCP relay function.

Adding second shared link broke DHCP for HSRP interfaces. DHCP response
packet would always come back to the neighbor router in the pair, instead of
the originating relay. Packet would then get punted across the directly
connected interface, and dropped by RPF (correct but unexpected behaviour.)

I have a number of options:


1. Disabled RPF checks on HSRP interfaces.

Don't really like this idea. RPF is a standard configuration for us at the
edge.


2. Configure static routes for the interface address on affected HSRP
interfaces. Redistribute static into IGP.

This should result in DHCP relay packets coming back directly to the source
router, avoiding the shunt across the connected interface and subsequent rpf
failure.


3. Configure RPF ACL to exclude DHCP packets from RPF checks.

Platform doesn't support RPF ACLs, so not an option.


4. Configure router DHCP relay to use a loopback source address instead of
the interface address.

This would fix this potential problem for many cases, but this is not
currently configurable.

Seems like a logical IOS feature request. TAC Engineer says I will have to
pursue it with an SE or Cisco Account Manager. The platform is EOS and
approaching EOL, so I'm not sure the request would really go anywhere.


Looks like option 2 is the one we will go with. Anybody else run into this?

Tim:>