North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: 92 Byte ICMP Blocking Problem

  • From: Mark Vevers
  • Date: Sat Sep 13 09:15:35 2003

Steve Carter said:
>
> I believe it to be true that all policy route traffic is processor
switched rather than CEF on the 75xx platform.  If so, the 75xx might
not be handling all it's being asked to and dropping stuff in a
> non-deterministic way.
>

In my experience you can do the 92 byte blocking on 75's with dCEF
provided you are *very* careful about exactly what policy based routes you
set up ...
Try the following:

On the interfaces make sure you have:
  ip route-cache policy

Then apply your PBR the inbound interface:
  ip policy route-map block92

which looks like:
  route-map block92 permit 10
    match ip address 121
    match length 92 92
    set interface Null0
  route-map block92 permit 20

With access-list 121 looking like
  access-list 121 permit icmp any any echo

The route-map is exteremly critial because some can be done in dCEF and
some can't - and you must have the extra permit as well (sorry if I'm
teaching grandma to suck eggs) but this seems to work for us.(12.2.15T5)

Be sure to check the vip cpu .... and show cef drop and show cef
not-cef-switched for the linecard involved ...

BTW we also found that in an earlier release of IOS we needed to reboot
the router to get this to work properly.

Regards
Mark
-- 
Mark Vevers.    [email protected] / [email protected]
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)