[c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?

Chris Welti chris.welti at switch.ch
Sat Feb 24 03:19:25 EST 2018 

Hi David,

uRPF on the NCS5500 is a mess due to limitations of the Jericho chipset. 
It has to do with the TCAM optimizations and twice the number of route 
lookups needed for uRPF (src/dst)

 From what I understand:

On SE-models for uRPF to work you need to disable double-capacity mode 
(you will lose space for half of the routes!)

hw-module tcam fib ipv4 scaledisable

depending on the software you are running, you might also need to 
reserve IPv6 space in the eTCAM:

hw-module profile tcam fib ipv4 unicast percent 50
hw-module profile tcam fib ipv6 unicast percent 50

For non-SE models you need to disable all the iTCAM optimizations

hw-module fib ipv4 scale host-optimized-disable
hw-module fib ipv6 scale internet-optimized-disable

Unfortunately, that way the current full table won't fit anymore in 
non-SE models.

IMHO it's best not to use uRPF at all on this platform.

See also bugID CSCvf44418, and the excellent Cisco Live presentation 
"NCS5500: Deepdive in the Merchant Silicon High-end SP Routers - 
BRKSPG-2900" from Nicolas Fevrier. Make sure you get the latest one from 
Barcelona 2018, which includes details about uRPF.

Regards,
Chris

Am 23.02.18 um 22:58 schrieb David Hubbard:
> Hi all, curious if anyone has run into issues with IPv6 uRPF on NCS5500 and/or XR 6.2.3?  I have an interface where I added:
>
> Ipv4 verify unicast source reachable-via any
> ipv6 verify unicast source reachable-via any
>
> and immediately lost my ability to talk to a BGP peer connected to it using a local /126 range; no ping, tcp, etc.  There’s obviously a route in FIB given it’s connected and up, but I did check.  The same issue does not occur with the remote IPv4 peering address on a /30 net, suggesting uRPF for ipv4 doesn’t have the same bug.
>
> Thanks
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list