Re: [c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?
One of the reasons I'm not very keen on using merchant silicon for high-touch routing. Mark. On 24/Feb/18 10:19, Chris Welti wrote: > Hi David, > > uRPF on the NCS5500 is a mess due to limitations of the Jericho > chipset. It has to do with the TCAM optimizations and twice the number > of route lookups needed for uRPF (src/dst) > > From what I understand: > > On SE-models for uRPF to work you need to disable double-capacity mode > (you will lose space for half of the routes!) > > hw-module tcam fib ipv4 scaledisable > > depending on the software you are running, you might also need to > reserve IPv6 space in the eTCAM: > > hw-module profile tcam fib ipv4 unicast percent 50 > hw-module profile tcam fib ipv6 unicast percent 50 > > For non-SE models you need to disable all the iTCAM optimizations > > hw-module fib ipv4 scale host-optimized-disable > hw-module fib ipv6 scale internet-optimized-disable > > Unfortunately, that way the current full table won't fit anymore in > non-SE models. > > IMHO it's best not to use uRPF at all on this platform. > > See also bugID CSCvf44418, and the excellent Cisco Live presentation > "NCS5500: Deepdive in the Merchant Silicon High-end SP Routers - > BRKSPG-2900" from Nicolas Fevrier. Make sure you get the latest one > from Barcelona 2018, which includes details about uRPF. > > Regards, > Chris > > Am 23.02.18 um 22:58 schrieb David Hubbard: >> Hi all, curious if anyone has run into issues with IPv6 uRPF on >> NCS5500 and/or XR 6.2.3? I have an interface where I added: >> >> Ipv4 verify unicast source reachable-via any >> ipv6 verify unicast source reachable-via any >> >> and immediately lost my ability to talk to a BGP peer connected to it >> using a local /126 range; no ping, tcp, etc. There’s obviously a >> route in FIB given it’s connected and up, but I did check. The same >> issue does not occur with the remote IPv4 peering address on a /30 >> net, suggesting uRPF for ipv4 doesn’t have the same bug. >> >> Thanks >> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?
Hi David, uRPF on the NCS5500 is a mess due to limitations of the Jericho chipset. It has to do with the TCAM optimizations and twice the number of route lookups needed for uRPF (src/dst) From what I understand: On SE-models for uRPF to work you need to disable double-capacity mode (you will lose space for half of the routes!) hw-module tcam fib ipv4 scaledisable depending on the software you are running, you might also need to reserve IPv6 space in the eTCAM: hw-module profile tcam fib ipv4 unicast percent 50 hw-module profile tcam fib ipv6 unicast percent 50 For non-SE models you need to disable all the iTCAM optimizations hw-module fib ipv4 scale host-optimized-disable hw-module fib ipv6 scale internet-optimized-disable Unfortunately, that way the current full table won't fit anymore in non-SE models. IMHO it's best not to use uRPF at all on this platform. See also bugID CSCvf44418, and the excellent Cisco Live presentation "NCS5500: Deepdive in the Merchant Silicon High-end SP Routers - BRKSPG-2900" from Nicolas Fevrier. Make sure you get the latest one from Barcelona 2018, which includes details about uRPF. Regards, Chris Am 23.02.18 um 22:58 schrieb David Hubbard: Hi all, curious if anyone has run into issues with IPv6 uRPF on NCS5500 and/or XR 6.2.3? I have an interface where I added: Ipv4 verify unicast source reachable-via any ipv6 verify unicast source reachable-via any and immediately lost my ability to talk to a BGP peer connected to it using a local /126 range; no ping, tcp, etc. There’s obviously a route in FIB given it’s connected and up, but I did check. The same issue does not occur with the remote IPv4 peering address on a /30 net, suggesting uRPF for ipv4 doesn’t have the same bug. Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?
Hi all, curious if anyone has run into issues with IPv6 uRPF on NCS5500 and/or XR 6.2.3? I have an interface where I added: Ipv4 verify unicast source reachable-via any ipv6 verify unicast source reachable-via any and immediately lost my ability to talk to a BGP peer connected to it using a local /126 range; no ping, tcp, etc. There’s obviously a route in FIB given it’s connected and up, but I did check. The same issue does not occur with the remote IPv4 peering address on a /30 net, suggesting uRPF for ipv4 doesn’t have the same bug. Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/