Where is the edge of the Internet? Re: no ip forged-source-address

Christopher L. Morrow chris at UU.NET
Wed Nov 6 23:49:29 UTC 2002


Ok, so I'll respond to one more of the messages I missed yesterday.

On Mon, 4 Nov 2002, Matt Buford wrote:

>
> On Mon, 4 Nov 2002 sean at donelan.com wrote:
> > The only equipment I'm heard here which has serious issues related to
> > feature availability is the 12000 (which was never a particularly good
> > aggregation device to begin with). RPF works fine on 7200, 7500, and
> > 6500, from my experience. I've not used 12000's for customer aggregation
> > since they historically haven't been designed for or adequate in that
> > respect.

Alot of large providers have 'all 12000' or 'alot of 12000' devices, so
this is a hint at the problem :( Most large, where large == continental,
providers  don't have very many 7200/6500 gear in their network.

Keep in mind that sometimes what platform you choose 12 months ago you may
get stuck with in a longer term than originally anticipated. That platform
may have been chosen because it was the only viable platform at the
initial buy time :(

> >
> > As such, I can understand providers not being able to apply RPF
> immediately
> > on 12000's, at least unless they are acquiring E3 cards for new installs.
>

Wow, by E3 I assume you mean: Engine 3... This is a VERY BAD PLAN, if my
experience with them is anything to judge from. Both E2 and E3 cards have
some serious limitations when it comes to access lists and uRPF. For
instance, I've been in config mode where:

int blah1/0.123
ip access<tab>

yields nothing... in other words, 'ip access-group 123 out' is not even in
the valid config for these cards :( even more depressing is the hope that
it'll work and the unfortunate reality that it'll apply to the interface
and never access list any traffic at all :(

To Cisco's credit they are now addressing the intricacies of the 12000
platform, the combinations of linecard, IOS, config bits, routing
situations... This is a complex beast, and its not known anywhere near as
well as  it should be.

>From what I've heard, I haven't yet tested these, the E4+ cards are
supposed to answer alot of the existing acl issues. One thing to keep in
mind is that your FIB is limited to ~225k prefixes if you want to use PSA
acls (hardware acls)on a 12000... Supposedly, if you remove PSA acl
functionality you can punt the acl work to the linecard CPU, in reality
the punting never happens and the traffic isn't acl'd :(

> 6500s can do it, but enabling it doubles the size of the FIB, and the FIB
> can only hold 244,000 unicast entries.  So, with RPF enabled on any
> interface, your limit is now 122,000 routes.  With a full BGP view, you're
> probably dangerously close to this number.
>

This seems like the same issue as the FIB limits on the 12000 linecards :(

> You're supposed to be able to exceed that number and simply end up with some
> networks being software switched, however, I've seen a number of 6509s
> running native software either fall over or experience serious bugs (not
> fixed as of 12.1(13)E) when exceeding this limit.
>

On the 12000, the routes are just lost... and magically the attack
'stops', so does traffic to some randomly large number of destinations too
:( So this is 'suboptimal' to say the least.

BTW, Cisco has been made aware of these issues so its again, on deck for a
fix in the e5/6/7 linecard...




More information about the NANOG mailing list