[c-nsp] asr9k dhcp relay + ipv4 verify unicast
Phil Mayers
p.mayers at imperial.ac.uk
Mon May 23 11:12:15 EDT 2016
On 23/05/16 16:02, Tarko Tikan wrote:
> hey,
>
>> interface BVI60004
>> ipv4 address 10.4.5.1 255.255.255.0
>> ipv4 verify unicast source reachable-via rx allow-self-ping
>
> Is this actual config or simplified? If simplified, is there VRRP/HSRP
> involved?
>
> If there is, it can be explained by DHCP return packet hitting other
> router (because it's sent to GIADDR but you only announce your connected
> prefix). Other router then fails to send packet to original router via
> connected interface because from other routers POV it fails RPF (saddr:
> dhcp-server, daddr: giaddr).
Yep. A PITA...
Often this is safe because both HSRP/VRRP members will forward the
packet, both will be replied (usually identically - the DHCP server will
tend to have allocated the lease already, so the 2nd gets the same
offer/ack) and one will be dropped, but the other will arrive.
route for router#1 giaddr -> router #1 (uRPF ok)
route for router#2 giaddr -> router #1 (uRPF fail)
But if you're in ECMP-enabled networks, you can have a nasty where, from
the DHCP server PoV:
ECMP hash for router#1 giaddr -> router #2 (uRPF fail)
ECMP hash for router#2 giaddr -> router #1 (uRPF fail)
...and both replies get dropped. This is statistically likely for approx
1/4 of networks (all other things being equal).
Yet another reason that "layer 3 up on standby" protocols suck.
More information about the cisco-nsp
mailing list