Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

uRPF and VRF

Hello,

I am going to use urpf-check in a LAN environment. The network is designed as VRF aware Core/Distribution/Access model.

I put the command: ip verify reverse-path in to the interface (distribution/access) coniguration.

As soon as I do it, the clients are note able to get IP-Adress from DHCP-Server. And they can't communicate!!

The same things happens, if do use the command in loose mode.

Does somebody out there has any idea, what else shoud I consider? Way does it not work?

\\regards

naser

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: uRPF and VRF

Naser,

It may be that what is happening is that when the distribution switch forwards the DHCP discovery request on to the DHCP server it sources the unicast forward packet using the ingress IP address of one of the two default gateways. If the response is received on the other distribution switch from the core (due to equal cost return path) it will then be forwarded out on the L2 access side to the originating forwarder who will then receive the DHCP response from the DHCP servers source address on the access interface with strict uRPF enabled which will then discard the packet. With Loose mode the packet is allowed in this instance.

1 REPLY
Cisco Employee

Re: uRPF and VRF

Naser,

It may be that what is happening is that when the distribution switch forwards the DHCP discovery request on to the DHCP server it sources the unicast forward packet using the ingress IP address of one of the two default gateways. If the response is received on the other distribution switch from the core (due to equal cost return path) it will then be forwarded out on the L2 access side to the originating forwarder who will then receive the DHCP response from the DHCP servers source address on the access interface with strict uRPF enabled which will then discard the packet. With Loose mode the packet is allowed in this instance.

442
Views
0
Helpful
1
Replies