Hi Gert, Note that although uRPF is done in hardware, a certain number of packets will be punted to the CPU, which can be rate-limited with the 'mls rate-limit unicast ip rpf-failure' command, details below in "uRPF Check Failure" section.
By default this is enabled with a non-zero value (100 pps with 10 burst). Use a value of 0 to avoid packets punted to CPU, however in this case you'll not see verification statistics in the 'sh ip int' output. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dos.html Best regards, Andras On Wed, Nov 14, 2012 at 12:45 PM, Gert Doering <[email protected]> wrote: > Hi, > > consider me confused on the operation of Sup720/3b with "loose uRPF" > configured. So far, I thought I understood what it can and can not do: > > - uRPF for IPv4 can be done in hardware > - loose or strict mode uRPF is a global setting for the whole box > > so I decided to enable loose uRPF on one of our peering/uplink routers > today, in preparation for BGP-signalled S-RTBH (no customer interfaces > there > , no need for strict-mode interfaces): > > interface GigabitEthernet1/1 > ip address 1.2.3.4 255.255.255.0 > ip access-group 110 in > ip verify unicast source reachable-via any allow-default > ip flow ingress > ... > > To see what it will do, I turned on "debug ip cef drops rpf", and got > lots of output - which I didn't expect, as nothing is null-routed yet: > > Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via > GigabitEthernet1/1 -- ip verify check (via-any) > Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via > GigabitEthernet1/1 -- via-rx > Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via > GigabitEthernet1/1 -- ip verify check (via-any) > Nov 14 12:33:55: CEF-Drop: Packet from 62.176.255.250 via > GigabitEthernet1/1 -- via-rx > Nov 14 12:33:55: CEF-Drop-Suppress: Packet from 62.176.255.250 via > GigabitEthernet1/1 -- ip verify check (via-any) > > ... now, I can actually ping this address just fine, so it is not dropping, > and reading between the lines, it tells me so "I would drop, but I > suppressed > the dropping": > > cisco> show ip int g1/1 > ... > Input features: Ingress-NetFlow, Access List, uRPF, MCI Check > ... > IP verify source reachable-via ANY, allow default > 0 verification drops > 34 suppressed verification drops > 0 verification drop-rate > > so what is a "suppressed verification drop"? And, much more important, > "will it still do that in hardware", or will loose-uRPF ("via any") punti > it into the software path for "some packets"? > > This is on a Sup720/3B with 12.2(33)SXI2, and the amount of > "suppressed verification drops" is fairly tiny compared to the > 58403 packets/sec input rate this particular interface has at the > moment - but I'm still slightly worried... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > [email protected] > fax: +49-89-35655025 > [email protected] > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
