[c-nsp] loose uRPF on Sup720/3B
Jon Lewis
jlewis at lewis.org
Wed Nov 14 11:55:30 EST 2012
On Wed, 14 Nov 2012, Pete Templin wrote:
> On 11/14/12 3:45 AM, Gert Doering wrote:
>
>> ip verify unicast source reachable-via any allow-default
>
>> so what is a "suppressed verification drop"? And, much more important,
>> "will it still do that in hardware", or will loose-uRPF ("via any") punti
>> it into the software path for "some packets"?
>
> Brian gave a decent response, but because I'm drinking my morning coffee I
> feel the urge to add another reply for you (since it'll delay my departure
> for work). A suppressed verification drop is a packet that would have
> dropped with 'ip verify unicast source reachable-via [any|rx]', but didn't
> drop because you added options (which can be allow-default, allow-self-ping,
> and/or an ACL to punch some additional holes).
So that suggests that the suppressed drops were suppressed by
allow-default and that Gert doesn't have full routes on this device, which
is a given since it's a non-XL 3B.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list