cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
621
Views
2
Helpful
2
Replies

uRPF brought down my network, even after removing the config

Jaydub718
Level 1
Level 1

I have a Cisco 7606 router acting as my border gateway for a campus network.  Downstream from the router is a Palo Alto NGFW and then a core distribution, L3 switch for my campus.  

Most physical ports on my router are configured as switchports assigned to a VLAN and VLAN Interfaces act as gateways for those VLANs.  Today I configured ip verify unicast source reachable-via rx on the VLAN interface 252 with IP X.X.252.193, connected to the PA Firewall.  The Firewall NATs my internal IP to X.X.252.243 and X.X.252.249 (relative to internal requirements).  Immediately upon committing the uRPF config, my network came down. I removed uRPF 4 minutes later, and everything stayed down (even though the interfaces still displayed up/up).

 
I have one external Gigabit WAN interface divided into two sub-interfaces via dot1x encap, each as a separate route to "different" BGP neighbors.  After hours of troubleshooting and finding nothing that should be causing a problem - one of the paths started passing traffic in and out of my internal network. However, the other (far more trafficked) path - the one set as the default route, was still not communicating.

I removed the uRPF configuration, bounced all involved interfaces, and even deleted and re-created the culprit sub-interface acting as the default route.  Still nothing.  At my wit's end, with contributed troubleshooting from neighboring ISP support, I eventually just reloaded the router and after a reboot, all connectivity was restored.

Has anyone ever encountered anything like this? 
 
-The router has a known route to the NAT'd source IP, which is the same VLAN interface the IP would come in to, yet it still everything came down. Why?
-Even after removing the config from the single interface, residual effects were felt, in failing to forward traffic out the default route's WAN interface. 
-I found nothing in viewable configs that would cause this, and especially, changed nothing that would cause this (that I didn't immediately revert).  
 

 

2 Replies 2

M02@rt37
VIP
VIP

Hello @Jaydub718,

When you enabled the uRPF configuration on specific VLAN interface, it can potentially drop traffic that doesn't have a valid reverse path in the routing table. The fact that your network went down immediately after enabling this feature suggests that there might have been an issue with the reverse path for some of the incoming traffic. This could be due to misconfigurations or missing routes in your routing table.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hi M02@rt37,

The router indeed has a valid route back into the network.  Both to the NAT'd IP and the internal IP scopes, and the path was pointing it out the very same interface it all would have arrived on, configured with uRPF.

Review Cisco Networking for a $25 gift card