Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
On (2010-07-29 23:07 +0200), bas wrote: > ACL's for customers is too much work, tedious and prone to mistakes. It can be. In ideal world routers are only touched when testing new products or troubleshooting software defects. Master configuration should live in customer database out of which configuration is generated for live network and periodically live network is imported back if configuration is within policy and acceptable or reverted/marked unmanaged if not. If you live in this ideal world of subset of it, you could just generate the ACL. But of course very few have anything like this (SP's rarely understand that computers are cheaper than we are, maybe it is a blessing) > Seeing IPv4 depletion is almost here loose mode on upstream does not > make sense any more. > So I guess we'll move away from that. Biggest benefit of loose is ability to do source based blackholing, i.e. you make 'ip route 192.0.2.42 255.255.255.255 null0 tag xyzzy' in one router and magically 192.0.2.42 sending you packets get dropped on your every peering cisco having uRPF/loose configured. Just FYI up-to EARL7.5 6500/7600 does not support any uRPF for IPv6 and with ACLs you either ACL up-to /128 and no L4 lookups or you ACL up-to /88 with L4 lookups. Default is no L4 lookups in ACL at all, which to me is unacceptable. So unless you are going to replace the routers before deploying IPv6, I guess it will be worth your time to develop system for ACL generation. Also thank you for being part of the community and stopping your customers from spoofing. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
CSCec39733 added just such a warning ages ago, back in the 12.1 days - but I just checked a c6k running 12.2(33)SXH and it's not there any more, so there seems to be a regression. Tim At 08:25 PM 7/29/2010, Church, Charles submitted: I got bit by this just a couple weeks ago. Building a new core router for a location, couldn't ping up through the Sidewinder gateways I'm only a little familiar with. Blaming it on my lack of Sidewinder experience, turns out my default had changed to strict mode after changing the inward facing ints to strict. Doh! Seems like a warning message would be nice, like they do with portfast. Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil -Original Message- From: cisco-nsp-boun...@puck.nether.net [<mailto:cisco-nsp-boun...@puck.nether.net>mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch Sent: Thursday, July 29, 2010 3:32 PM To: bas Cc: Cisco Subject: Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself On the SUP720/EARL7 unicast-rpf is a global setting on the device. If someone changes *any* interface to strict, all interfaces with u-rpf enabled will change to strict. - jared On Jul 29, 2010, at 3:21 PM, bas wrote: > Hi All, > > Yesterday we had a strange issue. > Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 > running SXI3) became unreachable. > > When we logged in everything looked ok. > BGP was up, OSPF was up and nothing special in logging. > Still traffic had dropped to near zero. > > With "debug ip cef drop" we immediately saw that traffic was dropped > due to uRPF feature. > All upstream interfaces had strict mode uRPF configured, before the > problems started it was loose mode uRPF. > > After manually changing them back too loose mode traffic was restored. > > A couple of minutes before the problems started an engineer had > configured a customer facing interface with strict mode uRPF. > Apparently this configuration changed triggered a bug that caused > upstream interface loose mode to be automagically turned to strict > mode. > > So, hereby a heads up. If your SXI3 boxes show strange behavior, > quickly check uRPF. > > Cya, > > Bas > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > <https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at <http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net <https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp archive at <http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstev...@cisco.com Routing & Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
I got bit by this just a couple weeks ago. Building a new core router for a location, couldn't ping up through the Sidewinder gateways I'm only a little familiar with. Blaming it on my lack of Sidewinder experience, turns out my default had changed to strict mode after changing the inward facing ints to strict. Doh! Seems like a warning message would be nice, like they do with portfast. Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch Sent: Thursday, July 29, 2010 3:32 PM To: bas Cc: Cisco Subject: Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself On the SUP720/EARL7 unicast-rpf is a global setting on the device. If someone changes *any* interface to strict, all interfaces with u-rpf enabled will change to strict. - jared On Jul 29, 2010, at 3:21 PM, bas wrote: > Hi All, > > Yesterday we had a strange issue. > Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 > running SXI3) became unreachable. > > When we logged in everything looked ok. > BGP was up, OSPF was up and nothing special in logging. > Still traffic had dropped to near zero. > > With "debug ip cef drop" we immediately saw that traffic was dropped > due to uRPF feature. > All upstream interfaces had strict mode uRPF configured, before the > problems started it was loose mode uRPF. > > After manually changing them back too loose mode traffic was restored. > > A couple of minutes before the problems started an engineer had > configured a customer facing interface with strict mode uRPF. > Apparently this configuration changed triggered a bug that caused > upstream interface loose mode to be automagically turned to strict > mode. > > So, hereby a heads up. If your SXI3 boxes show strange behavior, > quickly check uRPF. > > Cya, > > Bas > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
Hi All, Thanks for your replies. I guess I've been lucky to have never run into this before. (6years working with sup720's) On Thu, Jul 29, 2010 at 9:37 PM, Saku Ytti wrote: > On (2010-07-29 21:21 +0200), bas wrote: > > Up-to EARL7.5 (inclusive you) 6500/7600 support only chassis wide uRPF > setting. Change one setting, chassis wide setting changes. > That is, do not mix customer and peering ports in them. If you must, > use ACLs for customers, not uRPF. ACL's for customers is too much work, tedious and prone to mistakes. Seeing IPv4 depletion is almost here loose mode on upstream does not make sense any more. So I guess we'll move away from that. Thanks again, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
Yes, This is true on all 6500/7600 platforms with all code. I don't know why they put the loose/strict as an interface level setting since it is global. Mack -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch Sent: Thursday, July 29, 2010 1:32 PM To: bas Cc: Cisco Subject: Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself On the SUP720/EARL7 unicast-rpf is a global setting on the device. If someone changes *any* interface to strict, all interfaces with u-rpf enabled will change to strict. - jared On Jul 29, 2010, at 3:21 PM, bas wrote: > Hi All, > > Yesterday we had a strange issue. > Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 > running SXI3) became unreachable. > > When we logged in everything looked ok. > BGP was up, OSPF was up and nothing special in logging. > Still traffic had dropped to near zero. > > With "debug ip cef drop" we immediately saw that traffic was dropped > due to uRPF feature. > All upstream interfaces had strict mode uRPF configured, before the > problems started it was loose mode uRPF. > > After manually changing them back too loose mode traffic was restored. > > A couple of minutes before the problems started an engineer had > configured a customer facing interface with strict mode uRPF. > Apparently this configuration changed triggered a bug that caused > upstream interface loose mode to be automagically turned to strict > mode. > > So, hereby a heads up. If your SXI3 boxes show strange behavior, > quickly check uRPF. > > Cya, > > Bas > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
Hi, On Thu, Jul 29, 2010 at 09:21:49PM +0200, bas wrote: > A couple of minutes before the problems started an engineer had > configured a customer facing interface with strict mode uRPF. > Apparently this configuration changed triggered a bug that caused > upstream interface loose mode to be automagically turned to strict > mode. That's documented. The box can only run a single uRPF mode globally - so "all uRPF interfaces loose" or "all uRPF interfaces strict", no combinations possible. Hardware limitation, as far as I understand. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpifdQqfU1b9.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
>>A couple of minutes before the problems started an engineer had >>configured a customer facing interface with strict mode uRPF. This could be the issue. I believe once you changed one interface to strict mode, all other interfaces will be changed to strict mode. In other words, it behaves like a global command. Regards, Leung From: bas To: Cisco Date: 07/29/2010 03:24 PM Subject: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself Sent by:cisco-nsp-boun...@puck.nether.net Hi All, Yesterday we had a strange issue. Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 running SXI3) became unreachable. When we logged in everything looked ok. BGP was up, OSPF was up and nothing special in logging. Still traffic had dropped to near zero. With "debug ip cef drop" we immediately saw that traffic was dropped due to uRPF feature. All upstream interfaces had strict mode uRPF configured, before the problems started it was loose mode uRPF. After manually changing them back too loose mode traffic was restored. A couple of minutes before the problems started an engineer had configured a customer facing interface with strict mode uRPF. Apparently this configuration changed triggered a bug that caused upstream interface loose mode to be automagically turned to strict mode. So, hereby a heads up. If your SXI3 boxes show strange behavior, quickly check uRPF. Cya, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
On (2010-07-29 21:21 +0200), bas wrote: > All upstream interfaces had strict mode uRPF configured, before the > problems started it was loose mode uRPF. Up-to EARL7.5 (inclusive you) 6500/7600 support only chassis wide uRPF setting. Change one setting, chassis wide setting changes. That is, do not mix customer and peering ports in them. If you must, use ACLs for customers, not uRPF. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
On the SUP720/EARL7 unicast-rpf is a global setting on the device. If someone changes *any* interface to strict, all interfaces with u-rpf enabled will change to strict. - jared On Jul 29, 2010, at 3:21 PM, bas wrote: > Hi All, > > Yesterday we had a strange issue. > Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 > running SXI3) became unreachable. > > When we logged in everything looked ok. > BGP was up, OSPF was up and nothing special in logging. > Still traffic had dropped to near zero. > > With "debug ip cef drop" we immediately saw that traffic was dropped > due to uRPF feature. > All upstream interfaces had strict mode uRPF configured, before the > problems started it was loose mode uRPF. > > After manually changing them back too loose mode traffic was restored. > > A couple of minutes before the problems started an engineer had > configured a customer facing interface with strict mode uRPF. > Apparently this configuration changed triggered a bug that caused > upstream interface loose mode to be automagically turned to strict > mode. > > So, hereby a heads up. If your SXI3 boxes show strange behavior, > quickly check uRPF. > > Cya, > > Bas > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
Hi All, Yesterday we had a strange issue. Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 running SXI3) became unreachable. When we logged in everything looked ok. BGP was up, OSPF was up and nothing special in logging. Still traffic had dropped to near zero. With "debug ip cef drop" we immediately saw that traffic was dropped due to uRPF feature. All upstream interfaces had strict mode uRPF configured, before the problems started it was loose mode uRPF. After manually changing them back too loose mode traffic was restored. A couple of minutes before the problems started an engineer had configured a customer facing interface with strict mode uRPF. Apparently this configuration changed triggered a bug that caused upstream interface loose mode to be automagically turned to strict mode. So, hereby a heads up. If your SXI3 boxes show strange behavior, quickly check uRPF. Cya, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
