[c-nsp] Supressed RPF drops w/out ACL?
Rick Ernst
ernst at easystreet.com
Fri May 20 12:48:06 EDT 2005
My postmaster complained about messages being received from a source
address that should be blocked by our BGP/RPF black-hole.
I've confirmed that the source IP is showing up in the routing table,
pointed to the blackhole interface.
While investigating, I also noticed that RPF counters on the ingress
interfaces were showing RPF supproess counts. According to CCO, this means
they are being bypassed due an an ACL on the RPF statemet; but there is no
ACL. There is an ACL on the interface itself, but not on the RPF
statement. I'm using "rechable-via any" since we are multi-homed.
Some/most packets are being blocked properly as far as I can tell, but
there are some sneaking through.
It looks like I'm running into two different problems, since even if RPF
wasn't running, the BGP blackhole should be dropping return traffic,
preventing the 3-way handshake. Any ideas on where to check next?
Thanks,
Rick
----
Example output:
IOS (tm) 7200 Software (C7200-JS-M), Version 12.1(22)E1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
interface Serial4/0
ip verify unicast source reachable-via any
#show ip int s4/0
Serial4/0 is up, line protocol is up
--
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is enabled
IP CEF switching is enabled
IP Flow switching turbo vector
IP Flow CEF switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow, CEF
--
IP verify source reachable-via ANY
4884188 verification drops
2214130000 suppressed verification drops
More information about the cisco-nsp
mailing list