[c-nsp] Common uRPF setting on all interfaces
David Prall
dcp at dcptech.com
Mon Jul 25 15:18:59 EDT 2011
Correct. All uRPF has to be configured the same.
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide
/secure.pdf
Page 4 - Note - The most recently configured mode is automatically applied
to all ports configured for Unicast RPF check.
--
http://dcp.dcptech.com
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ross Halliday
> Sent: Monday, July 25, 2011 3:05 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Common uRPF setting on all interfaces
>
> Hello list,
>
> We recently did a forklift upgrade of a 6509 from a SUP2 unit to a
> SUP720-3B box. At the same time I also plunked over a few VRFs which
> had been living on an external router due to lack of VRF support on the
> SUP2s. To my surprise one of the moved customers reported lack of
> Internet connectivity (VPN was fine - they collocate a firewall) at
> sites hanging off of the upgraded box. I determined that, though I
> thought I copied everything properly, an SVI's uRPF got messed up and
> was dropping packets from the Internet. In troubleshooting I added
> "allow-default" to the "ip verify ..." line on the SVI and it worked.
> Being connected to an internal VLAN that peers with other switches in
> that VPN (we're not MPLS yet) where all other ingress traffic is
> filtered I figured it was a redundant step so removed the line
> completely.
>
> Well, this afternoon I saw RANCID email me a list of changes from that
> box. Every single SVI that used to have some incantation of uRPF now
> have "ip verify unicast source reachable-via rx allow-default allow-
> self-ping" on them. Explains how the "allow-default" got removed in the
> first place; the next SVI I pasted in doesn't have that bit.
>
> Has anyone seen this before? I did a couple of quick searches but my
> Google-fu is letting me down. Is there some secret that only one
> possible stanza for uRPF is allowed on this box, unless the line isn't
> present?
>
> Running 12.2(33)SXI4a on SUP720-3B in a 6509.
>
> Thanks
> Ross
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list