Correct. All uRPF has to be configured the same. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide /secure.pdf Page 4 - Note - The most recently configured mode is automatically applied to all ports configured for Unicast RPF check.
-- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- > boun...@puck.nether.net] On Behalf Of Ross Halliday > Sent: Monday, July 25, 2011 3:05 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] Common uRPF setting on all interfaces > > Hello list, > > We recently did a forklift upgrade of a 6509 from a SUP2 unit to a > SUP720-3B box. At the same time I also plunked over a few VRFs which > had been living on an external router due to lack of VRF support on the > SUP2s. To my surprise one of the moved customers reported lack of > Internet connectivity (VPN was fine - they collocate a firewall) at > sites hanging off of the upgraded box. I determined that, though I > thought I copied everything properly, an SVI's uRPF got messed up and > was dropping packets from the Internet. In troubleshooting I added > "allow-default" to the "ip verify ..." line on the SVI and it worked. > Being connected to an internal VLAN that peers with other switches in > that VPN (we're not MPLS yet) where all other ingress traffic is > filtered I figured it was a redundant step so removed the line > completely. > > Well, this afternoon I saw RANCID email me a list of changes from that > box. Every single SVI that used to have some incantation of uRPF now > have "ip verify unicast source reachable-via rx allow-default allow- > self-ping" on them. Explains how the "allow-default" got removed in the > first place; the next SVI I pasted in doesn't have that bit. > > Has anyone seen this before? I did a couple of quick searches but my > Google-fu is letting me down. Is there some secret that only one > possible stanza for uRPF is allowed on this box, unless the line isn't > present? > > Running 12.2(33)SXI4a on SUP720-3B in a 6509. > > Thanks > Ross > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
