[nsp] Cisco 7600 and uRPF
Clinton Work
clinton at scripty.com
Tue Mar 2 14:17:59 EST 2004
I have 7600 Sup2s and I want to use strict uRPF. I was looking for feedback
on the feature stability in production environments.
I was able to find the following notes ...
Cisco 7600 with Sup2 running Native IOS.
- The same mode (strict vs any) applies to all configured interfaces.
- Multipath isn't supported in hardware. The MSFC2 processes traffic in
software that has multiple
return paths (for example, load sharing).
- Unicast RPF will allow packets with 0.0.0.0 source and 255.255.255.255
destination to pass so
that bootp and DHCP will work.
- The Supervisor Engine 2 with PFC2 supports unicast RPF with hardware
processing for packets
that have a single return path.
- With a Supervisor Engine 2, if you configure unicast RPF to filter with an
ACL, the PFC2
determines whether or not traffic matches the ACL. The PFC2 sends the
traffic that matches
the ACL to the MSFC2 for the unicast RPF check. The PFC2 also provides
hardware support for
traffic that does not match the unicast RPF ACL, but that does match an
input security ACL.
Cisco 7600 - Configuring Network Security
http://www.cisco.com/en/US/partner/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080091655.html#1021668
Cisco IOS 12.1 - Configuring Unicast Reverse Path Forwarding
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca6e0.html
>
> ie: loose on some interfaces, strict on the others?
>
> the box will only do one 'global' u-rpf mode on the sup2.
> the sup1 it's done in software only, not in hw.
>
> i can't recall if they "fixed" this in the 720. i can go
> check my notes in a few ..
>
> - jared
>
> --
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only
mine.
>
More information about the cisco-nsp
mailing list