Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ip verify unicast reverse-path

Some time ago I posted a question here regarding "ip verify unicast reverse-path". I have come to find that this command will not work on gig single mode fiber ports (WS-X6748-SFP).

The command works fine on the 100FX cards (WS-X6324-100FX-MM).

Is there a way to enable reverse path verification on the WS-X6748-SFP line cards?

Edit: Cat 6509 - 12.2(14r)S9

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: ip verify unicast reverse-path

It's not supposed to work on non-routed ports as it is not running Layer3 services.

IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.

As for configuring IP RPF under SVI, Yes - it can be done.

HTH,

__

Edison.

Please rate helpful posts

7 REPLIES
Hall of Fame Super Bronze

Re: ip verify unicast reverse-path

According to the documentation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html#wp1088735

This feature is driven by the PFC and not the line card.

What error do you get while configuring such feature in the 6748 module?

HTH,

__

Edison.

New Member

Re: ip verify unicast reverse-path

CORE-6509(config-if)#ip verify ?

source source address

CORE-6509#sh mls cef ip rpf

RPF global mode: not enabled

I am searching for the configuration guide for a Sup720 for cef rpf. I think that's where my hangup is.

Hall of Fame Super Bronze

Re: ip verify unicast reverse-path

Make sure the interface is in routed mode

no switchport

Please post the output from typing

show ver | i IOS

Here is mine and it works:

sh ver | i IOS

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF8, RELEASE SOFTWARE (fc2)

sh mls cef ip rpf

RPF global mode: not enabled

HTH,

__

Edison.

New Member

Re: ip verify unicast reverse-path

edit: I hate the way this forum does replies

Hall of Fame Super Bronze

Re: ip verify unicast reverse-path

I just found a 6509 with 6748

show mod 9

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

9 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD080707HU

rack3-6509(config-if)#int g9/1

rack3-6509(config-if)#ip verify ?

unicast Enable per packet validation for unicast

rack3-6509(config-if)#ip verify un

rack3-6509(config-if)#ip verify unicast ?

reverse-path Reverse path validation of source address (old command format)

source Validation of source address

rack3-6509(config-if)#ip verify unicast re

rack3-6509(config-if)#ip verify unicast reverse-path ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

allow-self-ping Allow router to ping itself (opens vulnerability in

verification)

rack3-6509(config-if)#ip verify unicast reverse-path alo

rack3-6509(config-if)#ip verify unicast reverse-path

Warning: Deprecated Command.

Changed to "ip verify unicast source reachable-via rx allow-default".

rack3-6509(config-if)#do show run int g9/1

Building configuration...

Current configuration : 166 bytes

!

interface GigabitEthernet9/1

ip verify unicast source reachable-via rx allow-default

HTH,

__

Edison.

Please rate helpful posts

New Member

Re: ip verify unicast reverse-path

Well now why will the command work on a non routed port on the 100FX ports, but not on the gig ports?

It is ok to use this command on a vlan interface correct?

Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH2, RELEASE SOFTWARE (fc1)

Hall of Fame Super Bronze

Re: ip verify unicast reverse-path

It's not supposed to work on non-routed ports as it is not running Layer3 services.

IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.

As for configuring IP RPF under SVI, Yes - it can be done.

HTH,

__

Edison.

Please rate helpful posts

634
Views
5
Helpful
7
Replies