[c-nsp] Loose uRPF behaving like strict mode on 7600
Jon Lewis
jlewis at lewis.org
Thu Apr 30 00:18:54 EDT 2009
On Wed, 29 Apr 2009, Jose wrote:
> I was wondering if someone might have an explanation as to why we encountered
> an issue with uRPF (loose mode) when we tried enabling it on our upstream
> facing links. We have 2 x 7603s w/ SUP32 acting as our Gwy routers and our
> transit providers connect into them (one on each gwy + private peers). We
> are fed from each of them the entire internet table along with a default
> route.
>
> Now I know that we are multi-homed and obviously have asymmetrical routing
> occurring so I decided to implement loose uRPF on the interfaces: ip verify
> unicast source reachable-via any
>
> However shortly after enabling it we got calls that our customers could not
> reach parts of the internet. Specifically destinations where the packets
> would travel over the links that had RPF enabled on them and were our
> transits. Traffic to and from our private peers appeared fine though with
> RPF. Pings to our internal CIDRs from external route-servers would fail as
> well so long as the path was over the transits. Disabling RPF on the
> interfaces resolved the problem immediately.
>
> From my understanding of this feature, it would seem as if the RPF check was
> working in strict mode vs loose mode. Could there have been something that
> we missed? Should the "allow-default" be used in this case? I've never had
> to use it before when I've implemented loose mode in other environments.
>
> The 7603s are running 12.2(18)SXF11 Advanced IP Services.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/hybrid/release/notes/ol_4563.html#wp210802
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list