[c-nsp] Supressed RPF drops w/out ACL?

Rick Ernst ernst at easystreet.com
Fri May 20 12:48:06 EDT 2005



My postmaster complained about messages being received from a source
address that should be blocked by our BGP/RPF black-hole.

I've confirmed that the source IP is showing up in the routing table,
pointed to the blackhole interface.

While investigating, I also noticed that RPF counters on the ingress
interfaces were showing RPF supproess counts.  According to CCO, this means
they are being bypassed due an an ACL on the RPF statemet; but there is no
ACL.  There is an ACL on the interface itself, but not on the RPF
statement.  I'm using "rechable-via any" since we are multi-homed.

Some/most packets are being blocked properly as far as I can tell, but
there are some sneaking through.

It looks like I'm running into two different problems, since even if RPF
wasn't running, the BGP blackhole should be dropping return traffic,
preventing the 3-way handshake.  Any ideas on where to check next?

Thanks,
Rick

----

Example output:

IOS (tm) 7200 Software (C7200-JS-M), Version 12.1(22)E1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

interface Serial4/0
 ip verify unicast source reachable-via any

#show ip int s4/0
Serial4/0 is up, line protocol is up
 --
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is enabled
  IP CEF switching is enabled
  IP Flow switching turbo vector
  IP Flow CEF switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, Flow, CEF
 --
  IP verify source reachable-via ANY
   4884188 verification drops
   2214130000 suppressed verification drops







More information about the cisco-nsp mailing list