Cisco Bug: CSCvv93138 - ENH: Make `no ip redirects` and `no ipv6 redirects` default configuration on Layer 3 interfaces
Oct 05, 2020
- Cisco Nexus 7000 Series Switches
Known Affected Releases
7.0(3)I7(9) 8.2(6) 8.4(3) 9.2(4) 9.3(5)
Symptom: By default, `no ip redirects` and `no ipv6 redirects` are not automatically configured on Layer 3 interfaces in NX-OS. Cisco best practices recommend that ICMP/ICMPv6 Redirect messages are disabled on all Layer 3 interfaces with this configuration so that traffic that falls within an ICMP/ICMPv6 Redirect scenario is not punted to the control plane and subsequently software forwarded. These traffic flows would be subject to CoPP (Control Plane Policing), which could cause packet loss if the bandwidth of these traffic flows exceeds the CoPP rate limiter and causes traffic to be dropped in hardware. This software defect is an enhancement to NX-OS that adds two features: 1. All Layer 3 interfaces (SVIs, routed physical interfaces, routed port-channels, loopbacks, etc.) have `no ip redirects` and `no ipv6 redirects` automatically configured on them when the interface is created. 2. Upon upgrading to an NX-OS software release where this enhancement is included, a syslog will be printed for each Layer 3 interface (SVIs, routed physical interfaces, routed port-channels, loopbacks, etc.) that does not already have `no ip redirects` and `no ipv6 redirects` configured. This syslog can be globally supressed with non-default configuration (e.g. `ip redirect suppress-syslog` and/or `ipv6 redirect suppress-syslog`). It looks like recent enhancements were introduced that automatically push this configuration in vPC environments with the vPC Peer Gateway feature enabled. However, this does not cover scenarios wherein customers use their Nexus platform primarily as routers (with large numbers of Layer 3 port-channels and/or physical interfaces), which is common in the Nexus 7000 and Nexus 9500 platforms (particularly in VXLAN BGP EVPN environments). Conditions: This enhancement (most notably the syslog) may be observed when a Nexus switch has Layer 3 interfaces (SVIs, routed physical interfaces, routed port-channels, loopbacks, etc.) that are not configured with `no ip redirects` and `no ipv6 redirects`.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases