Understanding Pfc2 Unicast Rpf Check Support; Unicast Rpf Check Guidelines And Restrictions; Configuring Unicast Rpf Check - Cisco 7604 Configuration Manual
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 33
Configuring Network Security
With loose-method Unicast RPF check (also known as exist-only method), the PFC3 supports up to eight
reverse-path interfaces (the Cisco IOS software is limited to eight reverse paths in the routing table).
There are four methods of performing Unicast RPF check in Cisco IOS:
•
•
•
•
You configure Unicast RPF check on a per-interface basis, but the PFC3 supports only one Unicast RPF
method for all interfaces that have Unicast RPF check enabled. When you configure an interface to use
a Unicast RPF method that is different from the currently configured method, all other interfaces in the
system that have Unicast RPF check enabled use the new method.
Understanding PFC2 Unicast RPF Check Support
The PFC2 supports Unicast RPF check with hardware processing for packets that have a single return
path. The MSFC2 processes traffic in software that has multiple return paths (for example, load sharing).
Unicast RPF Check Guidelines and Restrictions
When configuring Unicast RPF check, follow these guidelines and restrictions:
•
•
•
•
Configuring Unicast RPF Check
These sections describe how to configure Unicast RPF check:
•
•
•
Configuring the Unicast RPF Check Mode
There are two Unicast RPF check modes:
•
OL-4266-08
Strict Unicast RPF check
Strict Unicast RPF check with allow-default
Loose Unicast RPF check
Loose Unicast RPF check with allow-default
If you configure Unicast RPF check to filter with an ACL, the PFC determines whether or not traffic
matches the ACL. The PFC sends the traffic denied by the RPF ACL to the MSFC for the Unicast
RPF check. Packets permitted by the ACL are forwarded in hardware without a Unicast RPF check
(CSCdz35099).
Because the packets in a denial-of-service attack typically match the deny ACE and are sent to the
MSFC for the Unicast RPF check, they can overload the MSFC.
The PFC provides hardware support for traffic that does not match the Unicast RPF check ACL, but
that does match an input security ACL.
The PFC does not provide hardware support Unicast RPF check for policy-based routing (PBR)
traffic. (CSCea53554).
Configuring the Unicast RPF Check Mode, page 33-3
Configuring the Multiple-Path Unicast RPF Check Mode on a PFC3, page 33-5
Enabling Self-Pinging, page 33-6
Strict check mode, which verifies that the source IP address exists in the FIB table and verifies that
the source IP address is reachable through the input port.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Configuring Unicast Reverse Path Forwarding Check
33-3
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
