[c-nsp] reverse path filtering doesn't seem to work

Justin Shore justin at justinshore.com
Fri Nov 20 14:06:54 EST 2009


Pete Templin wrote:

> I don't know how well it'll work on an unnumbered interface etc., but I 
> always add the option 'allow-self-ping' to my commands, i.e. 'ip ve u s 
> r r allow-s'.  I suspect that's related to your troubles.

I'm using uRPF and IP Unnumbered on DS1s today and all seems to be well. 
  I can ping the directly-connected target of the static route from the 
PE too:

interface Serial1/0/3:0
  ip unnumbered Loopback197
  ip verify unicast source reachable-via rx
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  load-interval 30
  snmp trap ip verify drop-rate
  no cdp enable
  service-policy input Armstrong-in
  service-policy output Armstrong-out

Mike, can you make sure that IOS thinks uRPF is actually enabled?

sh ip int se0/0 | i uRPF

7206-1.bway#sh ip int se1/0/3:0 | i uRPF
   Input features: Stateful Inspection, CCE Input Classification, uRPF, 
QoS Marking, MCI Check


Are you seeing the drops in the sh ip int output or somewhere else?

Justin


More information about the cisco-nsp mailing list