[c-nsp] loose uRPF on Sup720/3B

Gert Doering gert at greenie.muc.de
Wed Nov 14 06:45:08 EST 2012 

Hi,

consider me confused on the operation of Sup720/3b with "loose uRPF"
configured.  So far, I thought I understood what it can and can not do:

 - uRPF for IPv4 can be done in hardware
 - loose or strict mode uRPF is a global setting for the whole box

so I decided to enable loose uRPF on one of our peering/uplink routers 
today, in preparation for BGP-signalled S-RTBH (no customer interfaces there
, no need for strict-mode interfaces):

interface GigabitEthernet1/1
 ip address 1.2.3.4 255.255.255.0
 ip access-group 110 in
 ip verify unicast source reachable-via any allow-default
 ip flow ingress
...

To see what it will do, I turned on "debug ip cef drops rpf", and got
lots of output - which I didn't expect, as nothing is null-routed yet:

Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via GigabitEthernet1/1 -- ip verify check (via-any)
Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via GigabitEthernet1/1 -- via-rx
Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via GigabitEthernet1/1 -- ip verify check (via-any)
Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via GigabitEthernet1/1 -- via-rx
Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via GigabitEthernet1/1 -- ip verify check (via-any)

... now, I can actually ping this address just fine, so it is not dropping,
and reading between the lines, it tells me so "I would drop, but I suppressed
the dropping":

cisco> show ip int g1/1
...
  Input features: Ingress-NetFlow, Access List, uRPF, MCI Check
...
  IP verify source reachable-via ANY, allow default
   0 verification drops
   34 suppressed verification drops
   0 verification drop-rate

so what is a "suppressed verification drop"?  And, much more important,
"will it still do that in hardware", or will loose-uRPF ("via any") punti
it into the software path for "some packets"?

This is on a Sup720/3B with 12.2(33)SXI2, and the amount of 
"suppressed verification drops" is fairly tiny compared to the 
58403 packets/sec input rate this particular interface has at the
moment - but I'm still slightly worried...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20121114/92a6ccca/attachment.sig>

More information about the cisco-nsp mailing list