Solved: uRPF and VRF

Namsys · ‎05-22-2007

Hello,

I am going to use urpf-check in a LAN environment. The network is designed as VRF aware Core/Distribution/Access model.

I put the command: ip verify reverse-path in to the interface (distribution/access) coniguration.

As soon as I do it, the clients are note able to get IP-Adress from DHCP-Server. And they can't communicate!!

The same things happens, if do use the command in loose mode.

Does somebody out there has any idea, what else shoud I consider? Way does it not work?

\\regards

naser

miherber · ‎05-22-2007

Naser,

It may be that what is happening is that when the distribution switch forwards the DHCP discovery request on to the DHCP server it sources the unicast forward packet using the ingress IP address of one of the two default gateways. If the response is received on the other distribution switch from the core (due to equal cost return path) it will then be forwarded out on the L2 access side to the originating forwarder who will then receive the DHCP response from the DHCP servers source address on the access interface with strict uRPF enabled which will then discard the packet. With Loose mode the packet is allowed in this instance.

View solution in original post

miherber · ‎05-22-2007

Naser,

It may be that what is happening is that when the distribution switch forwards the DHCP discovery request on to the DHCP server it sources the unicast forward packet using the ingress IP address of one of the two default gateways. If the response is received on the other distribution switch from the core (due to equal cost return path) it will then be forwarded out on the L2 access side to the originating forwarder who will then receive the DHCP response from the DHCP servers source address on the access interface with strict uRPF enabled which will then discard the packet. With Loose mode the packet is allowed in this instance.