[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: RE: [fw-wiz] Cisco PIX 'unicast rpf drops' counter not showing
From: Karl Vogel <karl.vogel () seagha ! com>
Date: 2002-03-06 14:30:26
[Download RAW message or body]
Don't know how it is on PIX, but in the 'normal' IOS you have to
do a 'show ip interface XXX'
You can also enable debugging to view the dropped packets:
debug ip cef drops
If you are on a remote console, do a 'term monitor' to see the
logging in your session.
> -----Original Message-----
> From: Basil Hussain [mailto:basil.hussain@kodakweddings.com]
> Sent: Wednesday, March 06, 2002 13:31
> To: firewall-wizards@nfr.com
> Subject: [fw-wiz] Cisco PIX 'unicast rpf drops' counter not showing
>
>
> Hi,
>
> I have recently enabled the 'ip verify reverse-path' feature
> on the inside
> interface on my Cisco PIX-515 to perform egress filtering. It
> seems to be
> working, but I want to be absolutely sure that everything is
> correct and no
> packets are inadvertently being dropped.
>
> According to the Cisco PIX docs (for version 6.0, which is what I'm
> running), it tells you that it's possible to see if packets are deing
> dropped by watching the 'unicast rpf drops' counter on the relevant
> interface's statistics.
>
> The trouble is, when I issue a 'show interface' command for
> the interface,
> there's no sight of such a counter! Here's a cut & paste of
> the output I'm
> getting:
>
> ----<snip>----
> interface ethernet1 "inside" is up, line protocol is up
> Hardware is i82559 ethernet, address is 0003.6bf6.6c35
> IP address ###.###.###.###, subnet mask 255.255.255.0
> MTU 1500 bytes, BW 100000 Kbit full duplex
> 132202347 packets input, 1301809850 bytes, 0 no buffer
> Received 18126500 broadcasts, 0 runts, 0 giants
> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
> 121728147 packets output, 4182466678 bytes, 0 underruns
> 0 output errors, 0 collisions, 0 interface resets
> 0 babbles, 0 late collisions, 0 deferred
> 0 lost carrier, 0 no carrier
> input queue (curr/max blocks): hardware (128/128)
> software (0/57)
> output queue (curr/max blocks): hardware (0/48)
> software (0/12)
> ----<snip>----
>
> The 'unicast rpf drops' counter should be right at the end of
> line 8 - as
> you can see, it's not!
>
> I'm slightly worried that: a) I'm missing something with the
> config of the
> 'ip verify reverse-path' feature; b) It's not working at all;
> c) I have a
> bug in my version of the PIX software.
>
> Can anyone help uncover what's going on?
>
> Regards,
>
> Basil Hussain
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@nfr.com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic