Hi Ross,
This is a 'well-known' limitation of uRPF checking on sup720. It's
documented here (3rd bullet):
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html#wp1099693
Hope that helps,
Tim
At 12:04 PM 7/25/2011, Ross Halliday commented:
Hello list,
We recently did a forklift upgrade of a 6509 from a SUP2 unit to a
SUP720-3B box. At the same time I also plunked over a few VRFs which
had been living on an external router due to lack of VRF support on
the SUP2s. To my surprise one of the moved customers reported lack
of Internet connectivity (VPN was fine - they collocate a firewall)
at sites hanging off of the upgraded box. I determined that, though
I thought I copied everything properly, an SVI's uRPF got messed up
and was dropping packets from the Internet. In troubleshooting I
added "allow-default" to the "ip verify ..." line on the SVI and it
worked. Being connected to an internal VLAN that peers with other
switches in that VPN (we're not MPLS yet) where all other ingress
traffic is filtered I figured it was a redundant step so removed the
line completely.
Well, this afternoon I saw RANCID email me a list of changes from
that box. Every single SVI that used to have some incantation of
uRPF now have "ip verify unicast source reachable-via rx
allow-default allow-self-ping" on them. Explains how the
"allow-default" got removed in the first place; the next SVI I
pasted in doesn't have that bit.
Has anyone seen this before? I did a couple of quick searches but my
Google-fu is letting me down. Is there some secret that only one
possible stanza for uRPF is allowed on this box, unless the line isn't present?
Running 12.2(33)SXI4a on SUP720-3B in a 6509.
Thanks
Ross
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
<https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at
<http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/
Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/