[c-nsp] reverse path filtering doesn't seem to work
Mike
mike-cisconsplist at tiedyenetworks.com
Sat Nov 21 15:20:37 EST 2009
Justin Shore wrote:
> Pete Templin wrote:
>
>> I don't know how well it'll work on an unnumbered interface etc., but
>> I always add the option 'allow-self-ping' to my commands, i.e. 'ip ve
>> u s r r allow-s'. I suspect that's related to your troubles.
>
> I'm using uRPF and IP Unnumbered on DS1s today and all seems to be
> well. I can ping the directly-connected target of the static route
> from the PE too:
>
> interface Serial1/0/3:0
> ip unnumbered Loopback197
> ip verify unicast source reachable-via rx
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> load-interval 30
> snmp trap ip verify drop-rate
> no cdp enable
> service-policy input Armstrong-in
> service-policy output Armstrong-out
>
> Mike, can you make sure that IOS thinks uRPF is actually enabled?
>
> sh ip int se0/0 | i uRPF
>
> 7206-1.bway#sh ip int se1/0/3:0 | i uRPF
> Input features: Stateful Inspection, CCE Input Classification, uRPF,
> QoS Marking, MCI Check
>
>
> Are you seeing the drops in the sh ip int output or somewhere else?
>
Yes it's enabled per the above. The drops only occur when I use:
ip verify unicast source reachable-via rx
However, I discovered that if I instead use:
ip verify unicast source reachable-via any allow-default
That seems to at least not drop packets, but I haven't tested to see
wether it really will drop everything but the subnet routed down this link.
If I can ask, you seem to have something more than 'loopback 0' - tell
me, how are your routes configured - I am assuming you just have a
static route pointing thru the interface and not at 'loopback' anything,
yes?
Mike
More information about the cisco-nsp
mailing list