cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1230
Views
5
Helpful
7
Replies

ip verify unicast reverse-path

Jason Fraioli
Level 3
Level 3

Some time ago I posted a question here regarding "ip verify unicast reverse-path". I have come to find that this command will not work on gig single mode fiber ports (WS-X6748-SFP).

The command works fine on the 100FX cards (WS-X6324-100FX-MM).

Is there a way to enable reverse path verification on the WS-X6748-SFP line cards?

Edit: Cat 6509 - 12.2(14r)S9

1 Accepted Solution

Accepted Solutions

It's not supposed to work on non-routed ports as it is not running Layer3 services.

IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.

As for configuring IP RPF under SVI, Yes - it can be done.

HTH,

__

Edison.

Please rate helpful posts

View solution in original post

7 Replies 7

Edison Ortiz
Hall of Fame
Hall of Fame

According to the documentation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html#wp1088735

This feature is driven by the PFC and not the line card.

What error do you get while configuring such feature in the 6748 module?

HTH,

__

Edison.

CORE-6509(config-if)#ip verify ?

source source address

CORE-6509#sh mls cef ip rpf

RPF global mode: not enabled

I am searching for the configuration guide for a Sup720 for cef rpf. I think that's where my hangup is.

Make sure the interface is in routed mode

no switchport

Please post the output from typing

show ver | i IOS

Here is mine and it works:

sh ver | i IOS

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF8, RELEASE SOFTWARE (fc2)

sh mls cef ip rpf

RPF global mode: not enabled

HTH,

__

Edison.

edit: I hate the way this forum does replies

Edison Ortiz
Hall of Fame
Hall of Fame

I just found a 6509 with 6748

show mod 9

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

9 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD080707HU

rack3-6509(config-if)#int g9/1

rack3-6509(config-if)#ip verify ?

unicast Enable per packet validation for unicast

rack3-6509(config-if)#ip verify un

rack3-6509(config-if)#ip verify unicast ?

reverse-path Reverse path validation of source address (old command format)

source Validation of source address

rack3-6509(config-if)#ip verify unicast re

rack3-6509(config-if)#ip verify unicast reverse-path ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

allow-self-ping Allow router to ping itself (opens vulnerability in

verification)

rack3-6509(config-if)#ip verify unicast reverse-path alo

rack3-6509(config-if)#ip verify unicast reverse-path

Warning: Deprecated Command.

Changed to "ip verify unicast source reachable-via rx allow-default".

rack3-6509(config-if)#do show run int g9/1

Building configuration...

Current configuration : 166 bytes

!

interface GigabitEthernet9/1

ip verify unicast source reachable-via rx allow-default

HTH,

__

Edison.

Please rate helpful posts

Well now why will the command work on a non routed port on the 100FX ports, but not on the gig ports?

It is ok to use this command on a vlan interface correct?

Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH2, RELEASE SOFTWARE (fc1)

It's not supposed to work on non-routed ports as it is not running Layer3 services.

IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.

As for configuring IP RPF under SVI, Yes - it can be done.

HTH,

__

Edison.

Please rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: