Configuring Unicast Reverse Path Forwarding; Understanding Unicast Rpf Support; Configuring Unicast Rpf; Enabling Self-Pinging - Cisco 6500 Series Software Configuration Manual
Hide thumbs
Also See for 6500 Series:
- Configuration manual (392 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 23
Configuring Network Security
Configuring Unicast Reverse Path Forwarding
These sections describe configuring Cisco IOS Unicast Reverse Path Forwarding (Unicast RPF):
•
•
•
•
Understanding Unicast RPF Support
The PFC2 supports Unicast RPF with hardware processing for packets that have a single return path. The
MSFC2 processes traffic in software that has multiple return paths (for example, load sharing).
With a PFC2, if you configure Unicast RPF to filter with an ACL, the PFC2 determines whether or not
traffic matches the ACL. The PFC2 sends the traffic denied by the RPF ACL to the MSFC2 for the
Unicast RPF check.
Note
•
•
With Supervisor Engine 1 and PFC, the MSFC or MSFC 2 supports Unicast RPF in software.
Configuring Unicast RPF
For configuration procedures, refer to the Cisco IOS Security Configuration Guide, Release 12.1, "Other
Security Features," "Configuring Unicast Reverse Path Forwarding" at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt5/scdrpf.htm
Enabling Self-Pinging
With Unicast RPF enabled, the switch cannot ping itself. To enable self-pinging, perform this task:
Command
Step 1
Router(config)# interface {{vlan vlan_ID} |
1
{type
slot/port} | {port-channel number}}
Step 2
Router(config-if)# ip verify unicast source
reachable-via any allow-self-ping
Router(config-if)# no ip verify unicast source
reachable-via any allow-self-ping
Step 3
Router(config-if)# exit
1.
type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
78-14099-04
Understanding Unicast RPF Support, page 23-19
Configuring Unicast RPF, page 23-19
Enabling Self-Pinging, page 23-19
Configuring the Unicast RPF Checking Mode, page 23-20
Because the packets in a denial-of-service attack typically match the deny ACE and are sent to the
MSFC2 for the unicast RPF check, they can overload the MSFC2.
The PFC2 provides hardware support for traffic that does not match the Unicast RPF ACL, but that
does match an input security ACL.
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
Configuring Unicast Reverse Path Forwarding
Purpose
Selects the interface to configure.
Enables the switch to ping itself or a secondary address.
Disables self-pinging.
Exits interface configuration mode.
23-19
Advertisement
Table of Contents
Troubleshooting
