[c-nsp] loose uRPF on Sup720/3B

Brian Turnbow b.turnbow at twt.it
Wed Nov 14 10:30:23 EST 2012 

Hi

> 
> Hi,
> 
> consider me confused on the operation of Sup720/3b with "loose uRPF"
> configured.  So far, I thought I understood what it can and can not do:
> 
>  - uRPF for IPv4 can be done in hardware
>  - loose or strict mode uRPF is a global setting for the whole box
> 
> so I decided to enable loose uRPF on one of our peering/uplink routers
> today, in preparation for BGP-signalled S-RTBH (no customer interfaces
> there , no need for strict-mode interfaces):
> 
> interface GigabitEthernet1/1
>  ip address 1.2.3.4 255.255.255.0
>  ip access-group 110 in
>  ip verify unicast source reachable-via any allow-default  ip flow
> ingress ...
> 
> To see what it will do, I turned on "debug ip cef drops rpf", and got
> lots of output - which I didn't expect, as nothing is null-routed yet:
> 
> Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- ip verify check (via-any) Nov 14 12:33:55: CEF-
> Drop: Packet from 62.176.255.250 via GigabitEthernet1/1 -- via-rx Nov 14
> 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- ip verify check (via-any) Nov 14 12:33:55: CEF-
> Drop: Packet from 62.176.255.250 via GigabitEthernet1/1 -- via-rx Nov 14
> 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- ip verify check (via-any)
> 
> ... now, I can actually ping this address just fine, so it is not
> dropping, and reading between the lines, it tells me so "I would drop,
> but I suppressed the dropping":
> 
> cisco> show ip int g1/1
> ...
>   Input features: Ingress-NetFlow, Access List, uRPF, MCI Check ...
>   IP verify source reachable-via ANY, allow default
>    0 verification drops
>    34 suppressed verification drops
>    0 verification drop-rate
> 
> so what is a "suppressed verification drop"?  And, much more important,
> "will it still do that in hardware", or will loose-uRPF ("via any") punti
> it into the software path for "some packets"?
> 

The suppressed verification drop are indeed packets that would have been dropped but are not. I admit I'm not 100% sure it is done in hardware... but we do this without any impact on sup720/3bxl and in the past on sup32, with links with much more traffic.
On one particular link where we do not accept a lot of routes but receive traffic

6500-JN2#clear count  GigabitEthernet3/5
Clear "show interface" counters on this interface [confirm]
After roughly a minute
6500-JN2#sh ip int GigabitEthernet3/5

  IP verify source reachable-via ANY, allow default
   197 verification drops
   42249 suppressed verification drops
   0 verification drop-rate
  IP multicast multilayer switching is disabled

With no impact on cpu.
So I'd feel pretty safe betting is in hardware

Regards

Brian




> This is on a Sup720/3B with 12.2(33)SXI2, and the amount of "suppressed
> verification drops" is fairly tiny compared to the
> 58403 packets/sec input rate this particular interface has at the moment
> - but I'm still slightly worried...
> 
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> 
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-
> muenchen.de


---
This e-mail is intended only for the addressee named above. 
As this e-mail may contain confidential or privileged information, 
if you are not the named addressee, you are not authorized to retain, read, 
copy or disseminate this message or any part of it.   
 
Please consider your environmental responsibility before printing this e-mail.

More information about the cisco-nsp mailing list