Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
ovt Bronze
Bronze

Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

Hi!

Can anybody explain the following results:

1. If I send 5 pings access-list counter on the MSFC3 is incremented by 10...

2. If I set "no ip unreachables" on the MSFC it is still incremented by 10 (I see that unreachables are not sent)...

3. If I set "no ip redirects" on the MSFC the access-list hit counter is no longer incremented (this is good), but this disables unreachables too... I mean if I enable them with "ip unreachables" it has no effect when "no ip redirects" is set...

RACL is configured on a single MSFC interface, so no ACLs sharing, etc. CatOS 8.5(6) with 12.2(18)SXF5 IOS.

More questions:

- what is the corect way to disable unreachables on the MSFC3 and/or Sup?

- is it possible to see MSFC RACLs programmed into the hardware under CatOS? The Native IOS can show them.

- does CatOS or Native IOS support hardware RACL counters (something like hardware VACL counters)?

Thx.

5 REPLIES
Silver

Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

IMO, the counter may include the return packet.

Please provide the ACL & ping command

for more information.

ovt Bronze
Bronze

Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

Thanks for the replay.

The ACL doesn't catch the returning packets:

R-up#ping 172.16.51.102

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.51.102, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

MSFC#sh access-l

Extended IP access list 101

10 permit icmp host 172.16.11.1 host 81.13.62.53 echo

20 deny icmp host 172.16.11.1 host 172.16.51.102 echo (10 matches)

30 permit ip any any

MSFC#sh run int vlan 11

Building configuration...

Current configuration : 88 bytes

!

interface Vlan11

ip address 172.16.11.101 255.255.255.0

ip access-group 101 in

end

MSFC#sh fm summary

Interface: Vlan11 is up

TCAM screening for features: ACTIVE inbound

So, the counter is incremented by 10 for 5 ICMP echoes.

Silver

Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

Some info. in CCO as below. The ICMP echo cannot be filtered. Don't know is it the reason.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_command_reference_chapter09186a008007f2ae.html#8684

Can you try to block the ICMP only (w/o echo) and test again ?

Sorry can't find doc. to describe the ICMP in MSFC use double no. of packet. Please try above suggetion to check the result.

Hope this helps.

ovt Bronze
Bronze

Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

All of the traffic: icmp, tcp, udp which is below 100 pps is sent to the MSFC3 without rate-limiting because "unreachable" or "redirect" might be needed (this is correct behaviour). Then it is counted twice by the MSFC3 RACL (this seems to be a bug). If "no ip redirects" is set on the MSFC3 sending packets to the MSFC for processing is disabled. "No ip unreachables" seems to not have any effect (IMO this is a bug too).

Silver

Re: Disabling "ip unreachables" on Sup720/MSFC3 (Hybrid)

Thanks for the information. Seems you find the reason. You may return this bug to Cisco for further investigation.

260
Views
0
Helpful
5
Replies
CreatePlease to create content