[c-nsp] uRPF bug on C6k SXI1?

Phil Mayers p.mayers at imperial.ac.uk
Wed Nov 11 11:31:36 EST 2009


Peter Rathlev wrote:
> Hi Phil,
> 
> Thanks for the input.
> 
> On Tue, 2009-11-10 at 13:23 +0000, Phil Mayers wrote:
>> Do you have CoPP or MLS rate limiters? Is the traffic being CPU punted
>> (use a SPAN session to find out) and this rate-limiting what's causing
>> the drops?
> 
> No CoPP or rate-limiters configured, only defaults. Is there any way to
> see counters for the rate-limiters? The "show 
> 
>> If so, it could be a hardware/tcam programming error; we've seen a few
>> of these in obscure cases on SXI, and I've not found a reliable way to
>> clear them. Does a "shut" / "no shut" of the SVI fix the problem? Or
>> the various "clear" commands (e.g. "clear cef" etc.)
> 
> Well, I tried shutting/unshutting the SVI, and now I can't seem to
> recreate the problem. :-(

Yep, that sounds familiar. We've seen the problem with dodgy CEF 
prefixes "suddenly" go away when SVIs are shut/no shut. Someone 
suggested the next-hop MTU getting set wrong in the hardware and causing 
CPU punts, and that this can happen when SVIs come up/down very 
occasionally :o(

> 
>>> If I remove the "ip verify"-command and then add the version with
>>> "allow-default" directly, I have no problems. Without uRPF there's
>>> no problem either. Only when first entering the command without
>>> "allow-default" and then adding "allow-default" does the problem
>>> appear.
>> We haven't seen that, but have seen other issues where (apparently)
>> CEF entries are programmed incorrectly resulting in traffic being CPU
>> punted and having to pass through CoPP, and thus being very lossy.
> 
> I would really like to have looked more into this, but with the problem
> gone, I'm stuck: If it would happen again, is there any way to check
> what the rate-limiters/CoPP drops via some counters?

Well, CoPP drop can be see with:

sh policy-map control-plane

...but if you haven't got it setup, you'll see nothing.

sh mls rate-limit

...shows the current config for MLS rate limiters, but again if you've 
not got it setup then the defaults are some pretty conservative 
multicast punts and nothing else IIRC.

Hmm.


More information about the cisco-nsp mailing list