Re: [c-nsp] Common uRPF setting on all interfaces

[Mack McBride]

IPv6 urpf supposedly available on sup2T and per interface configuration.
Don't have my hands on one so cannot verify.

Mack

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert Doering
Sent: Monday, July 25, 2011 2:34 PM
To: Ross Halliday
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Common uRPF setting on all interfaces

Hi,

On Mon, Jul 25, 2011 at 03:04:53PM -0400, Ross Halliday wrote:
> Has anyone seen this before? I did a couple of quick searches but my 
> Google-fu is letting me down. Is there some secret that only one 
> possible stanza for uRPF is allowed on this box, unless the line isn't 
> present?

Exactly this.  The box can only do a single mode of uRPF on all interfaces that 
have uRPF active.  Hardware limitation.

(And no IPv6 uRPF in hardware at all)

gert
--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Common uRPF setting on all interfaces

[Gert Doering]

Hi,

On Mon, Jul 25, 2011 at 03:04:53PM -0400, Ross Halliday wrote:
> Has anyone seen this before? I did a couple of quick searches
> but my Google-fu is letting me down. Is there some secret that only
> one possible stanza for uRPF is allowed on this box, unless the
> line isn't present?

Exactly this.  The box can only do a single mode of uRPF on all interfaces
that have uRPF active.  Hardware limitation.

(And no IPv6 uRPF in hardware at all)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpZ4tu20gp7n.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Common uRPF setting on all interfaces

[Ross Halliday]

Ah... interesting. Thanks very much for your help guys.

Cheers
Ross


> -Original Message-
> From: David Prall [mailto:d...@dcptech.com]
> Sent: Monday, July 25, 2011 3:19 PM
> To: Ross Halliday; cisco-nsp@puck.nether.net
> Subject: RE: [c-nsp] Common uRPF setting on all interfaces
> 
> Correct. All uRPF has to be configured the same.
> 
> http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/
> guide
> /secure.pdf
> Page 4 - Note - The most recently configured mode is automatically
> applied
> to all ports configured for Unicast RPF check.
> 
> --
> http://dcp.dcptech.com
> 
> 
> > -Original Message-
> > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> > boun...@puck.nether.net] On Behalf Of Ross Halliday
> > Sent: Monday, July 25, 2011 3:05 PM
> > To: cisco-nsp@puck.nether.net
> > Subject: [c-nsp] Common uRPF setting on all interfaces
> >
> > Hello list,
> >
> > We recently did a forklift upgrade of a 6509 from a SUP2 unit to a
> > SUP720-3B box. At the same time I also plunked over a few VRFs which
> > had been living on an external router due to lack of VRF support on
> the
> > SUP2s. To my surprise one of the moved customers reported lack of
> > Internet connectivity (VPN was fine - they collocate a firewall) at
> > sites hanging off of the upgraded box. I determined that, though I
> > thought I copied everything properly, an SVI's uRPF got messed up and
> > was dropping packets from the Internet. In troubleshooting I added
> > "allow-default" to the "ip verify ..." line on the SVI and it worked.
> > Being connected to an internal VLAN that peers with other switches in
> > that VPN (we're not MPLS yet) where all other ingress traffic is
> > filtered I figured it was a redundant step so removed the line
> > completely.
> >
> > Well, this afternoon I saw RANCID email me a list of changes from
> that
> > box. Every single SVI that used to have some incantation of uRPF now
> > have "ip verify unicast source reachable-via rx allow-default allow-
> > self-ping" on them. Explains how the "allow-default" got removed in
> the
> > first place; the next SVI I pasted in doesn't have that bit.
> >
> > Has anyone seen this before? I did a couple of quick searches but my
> > Google-fu is letting me down. Is there some secret that only one
> > possible stanza for uRPF is allowed on this box, unless the line
> isn't
> > present?
> >
> > Running 12.2(33)SXI4a on SUP720-3B in a 6509.
> >
> > Thanks
> > Ross
> >
> >
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Common uRPF setting on all interfaces

[David Prall]

Correct. All uRPF has to be configured the same.

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide
/secure.pdf
Page 4 - Note - The most recently configured mode is automatically applied
to all ports configured for Unicast RPF check.

--
http://dcp.dcptech.com


> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of Ross Halliday
> Sent: Monday, July 25, 2011 3:05 PM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] Common uRPF setting on all interfaces
> 
> Hello list,
> 
> We recently did a forklift upgrade of a 6509 from a SUP2 unit to a
> SUP720-3B box. At the same time I also plunked over a few VRFs which
> had been living on an external router due to lack of VRF support on the
> SUP2s. To my surprise one of the moved customers reported lack of
> Internet connectivity (VPN was fine - they collocate a firewall) at
> sites hanging off of the upgraded box. I determined that, though I
> thought I copied everything properly, an SVI's uRPF got messed up and
> was dropping packets from the Internet. In troubleshooting I added
> "allow-default" to the "ip verify ..." line on the SVI and it worked.
> Being connected to an internal VLAN that peers with other switches in
> that VPN (we're not MPLS yet) where all other ingress traffic is
> filtered I figured it was a redundant step so removed the line
> completely.
> 
> Well, this afternoon I saw RANCID email me a list of changes from that
> box. Every single SVI that used to have some incantation of uRPF now
> have "ip verify unicast source reachable-via rx allow-default allow-
> self-ping" on them. Explains how the "allow-default" got removed in the
> first place; the next SVI I pasted in doesn't have that bit.
> 
> Has anyone seen this before? I did a couple of quick searches but my
> Google-fu is letting me down. Is there some secret that only one
> possible stanza for uRPF is allowed on this box, unless the line isn't
> present?
> 
> Running 12.2(33)SXI4a on SUP720-3B in a 6509.
> 
> Thanks
> Ross
> 
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Common uRPF setting on all interfaces

[Tim Stevenson]

Hi Ross,
This is a 'well-known' limitation of uRPF checking on sup720. It's 
documented here (3rd bullet):


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html#wp1099693


Hope that helps,
Tim


At 12:04 PM 7/25/2011, Ross Halliday commented:


Hello list,

We recently did a forklift upgrade of a 6509 from a SUP2 unit to a 
SUP720-3B box. At the same time I also plunked over a few VRFs which 
had been living on an external router due to lack of VRF support on 
the SUP2s. To my surprise one of the moved customers reported lack 
of Internet connectivity (VPN was fine - they collocate a firewall) 
at sites hanging off of the upgraded box. I determined that, though 
I thought I copied everything properly, an SVI's uRPF got messed up 
and was dropping packets from the Internet. In troubleshooting I 
added "allow-default" to the "ip verify ..." line on the SVI and it 
worked. Being connected to an internal VLAN that peers with other 
switches in that VPN (we're not MPLS yet) where all other ingress 
traffic is filtered I figured it was a redundant step so removed the 
line completely.


Well, this afternoon I saw RANCID email me a list of changes from 
that box. Every single SVI that used to have some incantation of 
uRPF now have "ip verify unicast source reachable-via rx 
allow-default allow-self-ping" on them. Explains how the 
"allow-default" got removed in the first place; the next SVI I 
pasted in doesn't have that bit.


Has anyone seen this before? I did a couple of quick searches but my 
Google-fu is letting me down. Is there some secret that only one 
possible stanza for uRPF is allowed on this box, unless the line isn't present?


Running 12.2(33)SXI4a on SUP720-3B in a 6509.

Thanks
Ross



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/





Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759

The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Common uRPF setting on all interfaces

[Ross Halliday]

Hello list,

We recently did a forklift upgrade of a 6509 from a SUP2 unit to a SUP720-3B 
box. At the same time I also plunked over a few VRFs which had been living on 
an external router due to lack of VRF support on the SUP2s. To my surprise one 
of the moved customers reported lack of Internet connectivity (VPN was fine - 
they collocate a firewall) at sites hanging off of the upgraded box. I 
determined that, though I thought I copied everything properly, an SVI's uRPF 
got messed up and was dropping packets from the Internet. In troubleshooting I 
added "allow-default" to the "ip verify ..." line on the SVI and it worked. 
Being connected to an internal VLAN that peers with other switches in that VPN 
(we're not MPLS yet) where all other ingress traffic is filtered I figured it 
was a redundant step so removed the line completely.

Well, this afternoon I saw RANCID email me a list of changes from that box. 
Every single SVI that used to have some incantation of uRPF now have "ip verify 
unicast source reachable-via rx allow-default allow-self-ping" on them. 
Explains how the "allow-default" got removed in the first place; the next SVI I 
pasted in doesn't have that bit.

Has anyone seen this before? I did a couple of quick searches but my Google-fu 
is letting me down. Is there some secret that only one possible stanza for uRPF 
is allowed on this box, unless the line isn't present?

Running 12.2(33)SXI4a on SUP720-3B in a 6509.

Thanks
Ross



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/