Justin Shore wrote:
Pete Templin wrote:
I don't know how well it'll work on an unnumbered interface etc., but
I always add the option 'allow-self-ping' to my commands, i.e. 'ip ve
u s r r allow-s'. I suspect that's related to your troubles.
I'm using uRPF and IP Unnumbered on DS1s today and all seems to be
well. I can ping the directly-connected target of the static route
from the PE too:
interface Serial1/0/3:0
ip unnumbered Loopback197
ip verify unicast source reachable-via rx
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
snmp trap ip verify drop-rate
no cdp enable
service-policy input Armstrong-in
service-policy output Armstrong-out
Mike, can you make sure that IOS thinks uRPF is actually enabled?
sh ip int se0/0 | i uRPF
7206-1.bway#sh ip int se1/0/3:0 | i uRPF
Input features: Stateful Inspection, CCE Input Classification, uRPF,
QoS Marking, MCI Check
Are you seeing the drops in the sh ip int output or somewhere else?
Yes it's enabled per the above. The drops only occur when I use:
ip verify unicast source reachable-via rx
However, I discovered that if I instead use:
ip verify unicast source reachable-via any allow-default
That seems to at least not drop packets, but I haven't tested to see
wether it really will drop everything but the subnet routed down this link.
If I can ask, you seem to have something more than 'loopback 0' - tell
me, how are your routes configured - I am assuming you just have a
static route pointing thru the interface and not at 'loopback' anything,
yes?
Mike
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/