Hi Ross,
This is a 'well-known' limitation of uRPF checking on sup720. It's documented here (3rd bullet):

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html#wp1099693


Hope that helps,
Tim


At 12:04 PM 7/25/2011, Ross Halliday commented:

Hello list,

We recently did a forklift upgrade of a 6509 from a SUP2 unit to a SUP720-3B box. At the same time I also plunked over a few VRFs which had been living on an external router due to lack of VRF support on the SUP2s. To my surprise one of the moved customers reported lack of Internet connectivity (VPN was fine - they collocate a firewall) at sites hanging off of the upgraded box. I determined that, though I thought I copied everything properly, an SVI's uRPF got messed up and was dropping packets from the Internet. In troubleshooting I added "allow-default" to the "ip verify ..." line on the SVI and it worked. Being connected to an internal VLAN that peers with other switches in that VPN (we're not MPLS yet) where all other ingress traffic is filtered I figured it was a redundant step so removed the line completely.

Well, this afternoon I saw RANCID email me a list of changes from that box. Every single SVI that used to have some incantation of uRPF now have "ip verify unicast source reachable-via rx allow-default allow-self-ping" on them. Explains how the "allow-default" got removed in the first place; the next SVI I pasted in doesn't have that bit.

Has anyone seen this before? I did a couple of quick searches but my Google-fu is letting me down. Is there some secret that only one possible stanza for uRPF is allowed on this box, unless the line isn't present?

Running 12.2(33)SXI4a on SUP720-3B in a 6509.

Thanks
Ross



_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
<https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at <http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/




Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to