[c-nsp] Common uRPF setting on all interfaces

Tim Stevenson tstevens at cisco.com
Mon Jul 25 15:13:42 EDT 2011 

Hi Ross,
This is a 'well-known' limitation of uRPF checking on sup720. It's 
documented here (3rd bullet):

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html#wp1099693


Hope that helps,
Tim


At 12:04 PM 7/25/2011, Ross Halliday commented:

>Hello list,
>
>We recently did a forklift upgrade of a 6509 from a SUP2 unit to a 
>SUP720-3B box. At the same time I also plunked over a few VRFs which 
>had been living on an external router due to lack of VRF support on 
>the SUP2s. To my surprise one of the moved customers reported lack 
>of Internet connectivity (VPN was fine - they collocate a firewall) 
>at sites hanging off of the upgraded box. I determined that, though 
>I thought I copied everything properly, an SVI's uRPF got messed up 
>and was dropping packets from the Internet. In troubleshooting I 
>added "allow-default" to the "ip verify ..." line on the SVI and it 
>worked. Being connected to an internal VLAN that peers with other 
>switches in that VPN (we're not MPLS yet) where all other ingress 
>traffic is filtered I figured it was a redundant step so removed the 
>line completely.
>
>Well, this afternoon I saw RANCID email me a list of changes from 
>that box. Every single SVI that used to have some incantation of 
>uRPF now have "ip verify unicast source reachable-via rx 
>allow-default allow-self-ping" on them. Explains how the 
>"allow-default" got removed in the first place; the next SVI I 
>pasted in doesn't have that bit.
>
>Has anyone seen this before? I did a couple of quick searches but my 
>Google-fu is letting me down. Is there some secret that only one 
>possible stanza for uRPF is allowed on this box, unless the line isn't present?
>
>Running 12.2(33)SXI4a on SUP720-3B in a 6509.
>
>Thanks
>Ross
>
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
><https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at 
><http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/




Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list