[c-nsp] Common uRPF setting on all interfaces
Ross Halliday
ross.halliday at wtccommunications.ca
Mon Jul 25 15:04:53 EDT 2011
Hello list,
We recently did a forklift upgrade of a 6509 from a SUP2 unit to a SUP720-3B box. At the same time I also plunked over a few VRFs which had been living on an external router due to lack of VRF support on the SUP2s. To my surprise one of the moved customers reported lack of Internet connectivity (VPN was fine - they collocate a firewall) at sites hanging off of the upgraded box. I determined that, though I thought I copied everything properly, an SVI's uRPF got messed up and was dropping packets from the Internet. In troubleshooting I added "allow-default" to the "ip verify ..." line on the SVI and it worked. Being connected to an internal VLAN that peers with other switches in that VPN (we're not MPLS yet) where all other ingress traffic is filtered I figured it was a redundant step so removed the line completely.
Well, this afternoon I saw RANCID email me a list of changes from that box. Every single SVI that used to have some incantation of uRPF now have "ip verify unicast source reachable-via rx allow-default allow-self-ping" on them. Explains how the "allow-default" got removed in the first place; the next SVI I pasted in doesn't have that bit.
Has anyone seen this before? I did a couple of quick searches but my Google-fu is letting me down. Is there some secret that only one possible stanza for uRPF is allowed on this box, unless the line isn't present?
Running 12.2(33)SXI4a on SUP720-3B in a 6509.
Thanks
Ross
More information about the cisco-nsp
mailing list