[107796] in North American Network Operators' Group
Re: Cisco uRPF failures
daemon@ATHENA.MIT.EDU (Saku Ytti)
Sat Sep 13 16:00:44 2008
Date: Sat, 13 Sep 2008 23:00:31 +0300
From: Saku Ytti <saku+nanog@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <20080913182618.GA29660@biological.warningg.com>
Errors-To: nanog-bounces@nanog.org
On (2008-09-13 13:26 -0500), Brandon Ewing wrote:
Hey Brandon,
> Are you sure? According to the IOS guide for 3560E/3750E, "ip verify" is
> still an unsupported interface command. I don't have a 3560E handy to test
> on, but I know that a non-E 3560 refuses it with a notice regarding how
> verification is not supported by hardware.
To be honest I'm not sure. Feature-wise highlights what I've taken note of
E series in 3560 is jumbo MTU support in L3 and uRPF in comparison to non E,
apart from the obvious 10GE and PSU enhancements.
While I haven't personally ran 3560E, I'm fairly confident that it's
supported, in hardware (And software to turn it on).
uRPF is mentioned here:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7078/product_data_sheet0900aecd805bac22.html
Advanced Security
• Unicast RPF feature helps mitigate problems caused by the introduction of
malformed or forged (spoofed) IP source addresses into a network by
discarding IP packets that lack a verifiable IP source address.
--
++ytti
