Nexus SVI configuration

David Niemann · ‎07-28-2015

Is it still considered a best practice to configure SVI interfaces on Nexus or Catalyst with the following?

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

Mark Malone · ‎07-28-2015

Hi

we follow best practice alot in our global network , no ip redirects and no ip proxy-arp we have set on catalyst and no ip redirects on Nexus SVI

it is considered best practice to turn off no ip unreachable but it will cause you issues when troubleshooting as it works on icmp , if your tracing something in your network and thats set you get a *

no ip route-cache we dont have disabled but we know to only enable it for specific troubleshooting like multicast i think it is best practice to disable on catalyst anyway not sure about Nexus

Traian Bratescu · ‎07-28-2015

Hi,

I am not using any of the above commands in the core.... some of them at the edge

My thoughts on each command:

no ip redirects - in a well-designed network this should not appear anyway except corner cases... so unless you actually use it you can safely issue the command;

no ip proxy-arp - same as above but I would definitely use this command on the edge.

no ip unreachables - I would say this should be used at the edge - arguably as a security measure; not inside the network where it could be actually useful for troubleshooting.

no ip route-cache cef - I wouldn't disable it as this may impact switch performance (the packets will need CPU cycles for forwarding) - is there any benefit for disabling it? - the only case I am aware of is for debugging packets (which will not show if they are cef-switched).

Traian