[c-nsp] Loose uRPF behaving like strict mode on 7600
Jose
lobo at allstream.net
Sat May 9 12:18:10 EDT 2009
Jon Lewis wrote:
> On Wed, 6 May 2009, Jose wrote:
>
>> Well, according to the TAC case I had opened on this, it seems that
>> because the SUP32 has its TCAM full and is getting exception errors
>> (it has the full internet routing tables), this is likely the culprit
>> to why uRPF in loose mode is not behaving as expected.
>
> I glossed over the fact that you're running SUP32's with full BGP
> tables. I didn't think that was even possible due to TCAM limitations.
>
> The important bit from the URL I sent is:
>
> Configuring the Unicast RPF Check Mode
>
> There are two unicast RPF check modes:
>
> •Strict check mode, which verifies that the source IP address exists
> in the FIB table and verifies that the source IP address is reachable
> through the input port.
>
> •Exist-only check mode, which only verifies that the source IP
> address exists in the FIB table.
>
> Note The most recently configured mode is automatically applied to all
> ports configured for unicast RPF check.
>
> I assumed you were trying to mix loose and strict RPF.
>
> Assuming you can't immediately upgrade to SUP720-3bxl or better, you
> might consider some filtering. Have a look at
> http://jonsblog.lewis.org/2008/01/19#bgp
>
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.325 / Virus Database: 270.12.22/2105 - Release Date: 05/08/09 11:43:00
>
>
Thanks for the tips Jon.
Jose
More information about the cisco-nsp
mailing list