Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
ovt Bronze

Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)


Can anybody explain the following results:

1. If I send 5 pings access-list counter on the MSFC3 is incremented by 10...

2. If I set "no ip unreachables" on the MSFC it is still incremented by 10 (I see that unreachables are not sent)...

3. If I set "no ip redirects" on the MSFC the access-list hit counter is no longer incremented (this is good), but this disables unreachables too... I mean if I enable them with "ip unreachables" it has no effect when "no ip redirects" is set...

RACL is configured on a single MSFC interface, so no ACLs sharing, etc. CatOS 8.5(6) with 12.2(18)SXF5 IOS.

More questions:

- what is the corect way to disable unreachables on the MSFC3 and/or Sup?

- is it possible to see MSFC RACLs programmed into the hardware under CatOS? The Native IOS can show them.

- does CatOS or Native IOS support hardware RACL counters (something like hardware VACL counters)?



Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

IMO, the counter may include the return packet.

Please provide the ACL & ping command

for more information.

ovt Bronze

Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

Thanks for the replay.

The ACL doesn't catch the returning packets:


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 0 percent (0/5)

MSFC#sh access-l

Extended IP access list 101

10 permit icmp host host echo

20 deny icmp host host echo (10 matches)

30 permit ip any any

MSFC#sh run int vlan 11

Building configuration...

Current configuration : 88 bytes


interface Vlan11

ip address

ip access-group 101 in


MSFC#sh fm summary

Interface: Vlan11 is up

TCAM screening for features: ACTIVE inbound

So, the counter is incremented by 10 for 5 ICMP echoes.


Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

Some info. in CCO as below. The ICMP echo cannot be filtered. Don't know is it the reason.

Can you try to block the ICMP only (w/o echo) and test again ?

Sorry can't find doc. to describe the ICMP in MSFC use double no. of packet. Please try above suggetion to check the result.

Hope this helps.

ovt Bronze

Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

All of the traffic: icmp, tcp, udp which is below 100 pps is sent to the MSFC3 without rate-limiting because "unreachable" or "redirect" might be needed (this is correct behaviour). Then it is counted twice by the MSFC3 RACL (this seems to be a bug). If "no ip redirects" is set on the MSFC3 sending packets to the MSFC for processing is disabled. "No ip unreachables" seems to not have any effect (IMO this is a bug too).


Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

Thanks for the information. Seems you find the reason. You may return this bug to Cisco for further investigation.

CreatePlease to create content