Discussion:
[c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?
David Hubbard
2018-02-23 21:58:41 UTC
Permalink
Hi all, curious if anyone has run into issues with IPv6 uRPF on NCS5500 and/or XR 6.2.3? I have an interface where I added:

Ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any

and immediately lost my ability to talk to a BGP peer connected to it using a local /126 range; no ping, tcp, etc. There’s obviously a route in FIB given it’s connected and up, but I did check. The same issue does not occur with the remote IPv4 peering address on a /30 net, suggesting uRPF for ipv4 doesn’t have the same bug.

Thanks


_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://pu
Chris Welti
2018-02-24 08:19:25 UTC
Permalink
Hi David,

uRPF on the NCS5500 is a mess due to limitations of the Jericho chipset.
It has to do with the TCAM optimizations and twice the number of route
lookups needed for uRPF (src/dst)

From what I understand:

On SE-models for uRPF to work you need to disable double-capacity mode
(you will lose space for half of the routes!)

hw-module tcam fib ipv4 scaledisable

depending on the software you are running, you might also need to
reserve IPv6 space in the eTCAM:

hw-module profile tcam fib ipv4 unicast percent 50
hw-module profile tcam fib ipv6 unicast percent 50

For non-SE models you need to disable all the iTCAM optimizations

hw-module fib ipv4 scale host-optimized-disable
hw-module fib ipv6 scale internet-optimized-disable

Unfortunately, that way the current full table won't fit anymore in
non-SE models.

IMHO it's best not to use uRPF at all on this platform.

See also bugID CSCvf44418, and the excellent Cisco Live presentation
"NCS5500: Deepdive in the Merchant Silicon High-end SP Routers -
BRKSPG-2900" from Nicolas Fevrier. Make sure you get the latest one from
Barcelona 2018, which includes details about uRPF.

Regards,
Chris
Post by David Hubbard
Ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any
and immediately lost my ability to talk to a BGP peer connected to it using a local /126 range; no ping, tcp, etc. There’s obviously a route in FIB given it’s connected and up, but I did check. The same issue does not occur with the remote IPv4 peering address on a /30 net, suggesting uRPF for ipv4 doesn’t have the same bug.
Thanks
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http:
Mark Tinka
2018-02-26 08:02:12 UTC
Permalink
One of the reasons I'm not very keen on using merchant silicon for
high-touch routing.

Mark.
Post by Chris Welti
Hi David,
uRPF on the NCS5500 is a mess due to limitations of the Jericho
chipset. It has to do with the TCAM optimizations and twice the number
of route lookups needed for uRPF (src/dst)
On SE-models for uRPF to work you need to disable double-capacity mode
(you will lose space for half of the routes!)
hw-module tcam fib ipv4 scaledisable
depending on the software you are running, you might also need to
hw-module profile tcam fib ipv4 unicast percent 50
hw-module profile tcam fib ipv6 unicast percent 50
For non-SE models you need to disable all the iTCAM optimizations
hw-module fib ipv4 scale host-optimized-disable
hw-module fib ipv6 scale internet-optimized-disable
Unfortunately, that way the current full table won't fit anymore in
non-SE models.
IMHO it's best not to use uRPF at all on this platform.
See also bugID CSCvf44418, and the excellent Cisco Live presentation
"NCS5500: Deepdive in the Merchant Silicon High-end SP Routers -
BRKSPG-2900" from Nicolas Fevrier. Make sure you get the latest one
from Barcelona 2018, which includes details about uRPF.
Regards,
Chris
Post by David Hubbard
Hi all, curious if anyone has run into issues with IPv6 uRPF on
Ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any
and immediately lost my ability to talk to a BGP peer connected to it
using a local /126 range; no ping, tcp, etc.  There’s obviously a
route in FIB given it’s connected and up, but I did check.  The same
issue does not occur with the remote IPv4 peering address on a /30
net, suggesting uRPF for ipv4 doesn’t have the same bug.
Thanks
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pi

Loading...