92 Byte ICMP Blocking Problem
Mark Vevers
mark at vevers.net
Sat Sep 13 13:13:19 UTC 2003
Steve Carter said:
>
> I believe it to be true that all policy route traffic is processor
switched rather than CEF on the 75xx platform. If so, the 75xx might
not be handling all it's being asked to and dropping stuff in a
> non-deterministic way.
>
In my experience you can do the 92 byte blocking on 75's with dCEF
provided you are *very* careful about exactly what policy based routes you
set up ...
Try the following:
On the interfaces make sure you have:
ip route-cache policy
Then apply your PBR the inbound interface:
ip policy route-map block92
which looks like:
route-map block92 permit 10
match ip address 121
match length 92 92
set interface Null0
route-map block92 permit 20
With access-list 121 looking like
access-list 121 permit icmp any any echo
The route-map is exteremly critial because some can be done in dCEF and
some can't - and you must have the extra permit as well (sorry if I'm
teaching grandma to suck eggs) but this seems to work for us.(12.2.15T5)
Be sure to check the vip cpu .... and show cef drop and show cef
not-cef-switched for the linecard involved ...
BTW we also found that in an earlier release of IOS we needed to reboot
the router to get this to work properly.
Regards
Mark
--
Mark Vevers. mark at ifl.net / mark at vevers.net
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)
More information about the NANOG
mailing list