Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Cisco PIX 'unicast rpf drops' counter not showing

From: "Basil Hussain" <basil.hussain () kodakweddings com>
Date: Wed, 6 Mar 2002 12:30:59 -0000
Hi,

I have recently enabled the 'ip verify reverse-path' feature on the inside
interface on my Cisco PIX-515 to perform egress filtering. It seems to be
working, but I want to be absolutely sure that everything is correct and no
packets are inadvertently being dropped.

According to the Cisco PIX docs (for version 6.0, which is what I'm
running), it tells you that it's possible to see if packets are deing
dropped by watching the 'unicast rpf drops' counter on the relevant
interface's statistics.

The trouble is, when I issue a 'show interface' command for the interface,
there's no sight of such a counter! Here's a cut & paste of the output I'm
getting:

----<snip>----
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0003.6bf6.6c35
  IP address ###.###.###.###, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        132202347 packets input, 1301809850 bytes, 0 no buffer
        Received 18126500 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        121728147 packets output, 4182466678 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/57)
        output queue (curr/max blocks): hardware (0/48) software (0/12)
----<snip>----

The 'unicast rpf drops' counter should be right at the end of line 8 - as
you can see, it's not!

I'm slightly worried that: a) I'm missing something with the config of the
'ip verify reverse-path' feature; b) It's not working at all; c) I have a
bug in my version of the PIX software.

Can anyone help uncover what's going on?

Regards,

Basil Hussain


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: