uRPF and VRF

Answered Question
May 22nd, 2007
User Badges:

Hello,


I am going to use urpf-check in a LAN environment. The network is designed as VRF aware Core/Distribution/Access model.


I put the command: ip verify reverse-path in to the interface (distribution/access) coniguration.


As soon as I do it, the clients are note able to get IP-Adress from DHCP-Server. And they can't communicate!!


The same things happens, if do use the command in loose mode.


Does somebody out there has any idea, what else shoud I consider? Way does it not work?


\\regards

naser

Correct Answer by miherber about 10 years 2 months ago

Naser,


It may be that what is happening is that when the distribution switch forwards the DHCP discovery request on to the DHCP server it sources the unicast forward packet using the ingress IP address of one of the two default gateways. If the response is received on the other distribution switch from the core (due to equal cost return path) it will then be forwarded out on the L2 access side to the originating forwarder who will then receive the DHCP response from the DHCP servers source address on the access interface with strict uRPF enabled which will then discard the packet. With Loose mode the packet is allowed in this instance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
miherber Tue, 05/22/2007 - 10:37
User Badges:
  • Cisco Employee,

Naser,


It may be that what is happening is that when the distribution switch forwards the DHCP discovery request on to the DHCP server it sources the unicast forward packet using the ingress IP address of one of the two default gateways. If the response is received on the other distribution switch from the core (due to equal cost return path) it will then be forwarded out on the L2 access side to the originating forwarder who will then receive the DHCP response from the DHCP servers source address on the access interface with strict uRPF enabled which will then discard the packet. With Loose mode the packet is allowed in this instance.

Actions

This Discussion