[c-nsp] loose uRPF on Sup720/3B
Gert Doering
gert at greenie.muc.de
Wed Nov 14 06:45:08 EST 2012
Hi,
consider me confused on the operation of Sup720/3b with "loose uRPF"
configured. So far, I thought I understood what it can and can not do:
- uRPF for IPv4 can be done in hardware
- loose or strict mode uRPF is a global setting for the whole box
so I decided to enable loose uRPF on one of our peering/uplink routers
today, in preparation for BGP-signalled S-RTBH (no customer interfaces there
, no need for strict-mode interfaces):
interface GigabitEthernet1/1
ip address 1.2.3.4 255.255.255.0
ip access-group 110 in
ip verify unicast source reachable-via any allow-default
ip flow ingress
...
To see what it will do, I turned on "debug ip cef drops rpf", and got
lots of output - which I didn't expect, as nothing is null-routed yet:
Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via GigabitEthernet1/1 -- ip verify check (via-any)
Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via GigabitEthernet1/1 -- via-rx
Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via GigabitEthernet1/1 -- ip verify check (via-any)
Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via GigabitEthernet1/1 -- via-rx
Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via GigabitEthernet1/1 -- ip verify check (via-any)
... now, I can actually ping this address just fine, so it is not dropping,
and reading between the lines, it tells me so "I would drop, but I suppressed
the dropping":
cisco> show ip int g1/1
...
Input features: Ingress-NetFlow, Access List, uRPF, MCI Check
...
IP verify source reachable-via ANY, allow default
0 verification drops
34 suppressed verification drops
0 verification drop-rate
so what is a "suppressed verification drop"? And, much more important,
"will it still do that in hardware", or will loose-uRPF ("via any") punti
it into the software path for "some packets"?
This is on a Sup720/3B with 12.2(33)SXI2, and the amount of
"suppressed verification drops" is fairly tiny compared to the
58403 packets/sec input rate this particular interface has at the
moment - but I'm still slightly worried...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20121114/92a6ccca/attachment.sig>
More information about the cisco-nsp
mailing list