[c-nsp] loose uRPF on Sup720/3B

Tóth András diosbejgli at gmail.com
Fri Nov 16 17:33:52 EST 2012


Hi Gert,

Note that although uRPF is done in hardware, a certain number of packets
will be punted to the CPU, which can be rate-limited with the 'mls
rate-limit unicast ip rpf-failure' command, details below in "uRPF Check
Failure" section.

By default this is enabled with a non-zero value (100 pps with 10 burst).
Use a value of 0 to avoid packets punted to CPU, however in this case
you'll not see verification statistics in the 'sh ip int' output.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dos.html

Best regards,
Andras



On Wed, Nov 14, 2012 at 12:45 PM, Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> consider me confused on the operation of Sup720/3b with "loose uRPF"
> configured.  So far, I thought I understood what it can and can not do:
>
>  - uRPF for IPv4 can be done in hardware
>  - loose or strict mode uRPF is a global setting for the whole box
>
> so I decided to enable loose uRPF on one of our peering/uplink routers
> today, in preparation for BGP-signalled S-RTBH (no customer interfaces
> there
> , no need for strict-mode interfaces):
>
> interface GigabitEthernet1/1
>  ip address 1.2.3.4 255.255.255.0
>  ip access-group 110 in
>  ip verify unicast source reachable-via any allow-default
>  ip flow ingress
> ...
>
> To see what it will do, I turned on "debug ip cef drops rpf", and got
> lots of output - which I didn't expect, as nothing is null-routed yet:
>
> Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- ip verify check (via-any)
> Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- via-rx
> Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- ip verify check (via-any)
> Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- via-rx
> Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via
> GigabitEthernet1/1 -- ip verify check (via-any)
>
> ... now, I can actually ping this address just fine, so it is not dropping,
> and reading between the lines, it tells me so "I would drop, but I
> suppressed
> the dropping":
>
> cisco> show ip int g1/1
> ...
>   Input features: Ingress-NetFlow, Access List, uRPF, MCI Check
> ...
>   IP verify source reachable-via ANY, allow default
>    0 verification drops
>    34 suppressed verification drops
>    0 verification drop-rate
>
> so what is a "suppressed verification drop"?  And, much more important,
> "will it still do that in hardware", or will loose-uRPF ("via any") punti
> it into the software path for "some packets"?
>
> This is on a Sup720/3B with 12.2(33)SXI2, and the amount of
> "suppressed verification drops" is fairly tiny compared to the
> 58403 packets/sec input rate this particular interface has at the
> moment - but I'm still slightly worried...
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list