[c-nsp] Common uRPF setting on all interfaces

Ross Halliday ross.halliday at wtccommunications.ca
Mon Jul 25 16:04:38 EDT 2011


Ah... interesting. Thanks very much for your help guys.

Cheers
Ross


> -----Original Message-----
> From: David Prall [mailto:dcp at dcptech.com]
> Sent: Monday, July 25, 2011 3:19 PM
> To: Ross Halliday; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Common uRPF setting on all interfaces
> 
> Correct. All uRPF has to be configured the same.
> 
> http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/
> guide
> /secure.pdf
> Page 4 - Note - The most recently configured mode is automatically
> applied
> to all ports configured for Unicast RPF check.
> 
> --
> http://dcp.dcptech.com
> 
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Ross Halliday
> > Sent: Monday, July 25, 2011 3:05 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Common uRPF setting on all interfaces
> >
> > Hello list,
> >
> > We recently did a forklift upgrade of a 6509 from a SUP2 unit to a
> > SUP720-3B box. At the same time I also plunked over a few VRFs which
> > had been living on an external router due to lack of VRF support on
> the
> > SUP2s. To my surprise one of the moved customers reported lack of
> > Internet connectivity (VPN was fine - they collocate a firewall) at
> > sites hanging off of the upgraded box. I determined that, though I
> > thought I copied everything properly, an SVI's uRPF got messed up and
> > was dropping packets from the Internet. In troubleshooting I added
> > "allow-default" to the "ip verify ..." line on the SVI and it worked.
> > Being connected to an internal VLAN that peers with other switches in
> > that VPN (we're not MPLS yet) where all other ingress traffic is
> > filtered I figured it was a redundant step so removed the line
> > completely.
> >
> > Well, this afternoon I saw RANCID email me a list of changes from
> that
> > box. Every single SVI that used to have some incantation of uRPF now
> > have "ip verify unicast source reachable-via rx allow-default allow-
> > self-ping" on them. Explains how the "allow-default" got removed in
> the
> > first place; the next SVI I pasted in doesn't have that bit.
> >
> > Has anyone seen this before? I did a couple of quick searches but my
> > Google-fu is letting me down. Is there some secret that only one
> > possible stanza for uRPF is allowed on this box, unless the line
> isn't
> > present?
> >
> > Running 12.2(33)SXI4a on SUP720-3B in a 6509.
> >
> > Thanks
> > Ross
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list