uRPF check on VRF (for RTBH) on IOX-XR device without e/TCAM

ehaparna · ‎10-09-2023

Hello community,

Issue description

This case is related to RTBH implementation over L3VPN.

The device used is without exteral TCAM and scale optimization were modified based on the recommendation

mentioned in
System Security Configuration Guide for Cisco NCS 5500 Series Routers, IOS XR Release 7.5.x

#hw-module fib ipv4 scale host-optimized-disable

note: the same optimizations were implemented and tested to be usefull over the same device in non L3VPN case

Reboot was issued just to remove any doubt that the configuration change is effective.

and specific uRPF configuration was issued.

RP/0/RP0/CPU0:ncs540_cisco#show running-config interface tenGigE 0/0/0/4
Mon Oct  9 14:59:46.875 IDT
interface TenGigE0/0/0/4
vrf tomer
ipv4 address 40.40.40.1 255.255.255.0
ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any
!

The hope was the having a specific /32 route on the blocking PE that is set for 60.60.60.60/32 to discard

would result with packet being discard once they are sent on ingress of the VRF interface TenGigE0/0/0/4 with source address of 60.60.60.60

But it seems that it is not the case.

The traffic with source address of 60.60.60.60 is not blocked and it passes from this PE (VRF) to the remote PE (VRF).

When traffic is sent with destination to the same address (egress) 60.60.60.60 (as DA) the packet is dropped.

So it is clear as the discard is set for that address was implemented in the routing table, but as if the uRPF was ineffective.

Q1. did any of you was able to run uRPF check over VRF ? on a device without external TCAM?

Q2: is there anything missing in the configuration that I should consider?

Bellow you can find a complementary information relevant for this configuration.

The device being used is :

NCS-540

Cisco IOS XR Software, Version 7.6.1

The setup implements L3VPN and the need is to block traffic within the VRF based on the source address.

i.e. using uRPF check (loose mode)

The following policy was defined

RP/0/RP0/CPU0:ncs540_cisco#show running-config route-policy RTBH  
Mon Oct  9 14:59:22.311 IDT
route-policy RTBH
  if community matches-any (100:667) then
    set next-hop discard
    set local-preference 400
    set origin igp
  endif
  if not community matches-any 666 then
    pass
  endif
end-policy
!

The policy was deployed

router bgp 9730
neighbor 33.33.33.33
  remote-as 100
  ebgp-multihop 10
  update-source Loopback0
  address-family ipv4 unicast
   route-policy PASS_ALL in
   route-policy PASS_ALL out
  !
  address-family vpnv4 unicast
   route-policy RTBH in
   route-policy PASS_ALL out
  !
!
!

show version:

RP/0/RP0/CPU0:ncs540_cisco#show ver
Mon Oct 9 15:01:05.190 IDT
Cisco IOS XR Software, Version 7.6.1
Copyright (c) 2013-2022 by Cisco Systems, Inc.

Build Information:
Built By     : ingunawa
Built On     : Sat Mar 26 19:42:00 PDT 2022
Built Host   : iox-ucs-050
Workspace    : /auto/srcarchive17/prod/7.6.1/ncs540/ws
Version      : 7.6.1
Location     : /opt/cisco/XR/packages/
Label        : 7.6.1

cisco NCS-540 () processor
System uptime is 18 minutes

RP/0/RP0/CPU0:ncs540_cisco#show ver
Mon Oct 9 15:01:05.190 IDT
Cisco IOS XR Software, Version 7.6.1
Copyright (c) 2013-2022 by Cisco Systems, Inc.

Build Information:
Built By     : ingunawa
Built On     : Sat Mar 26 19:42:00 PDT 2022
Built Host   : iox-ucs-050
Workspace    : /auto/srcarchive17/prod/7.6.1/ncs540/ws
Version      : 7.6.1
Location     : /opt/cisco/XR/packages/
Label        : 7.6.1

cisco NCS-540 () processor
System uptime is 18 minutes