From: Church, Chuck (cchurch@netcogov.com)
Date: Fri Mar 25 2005 - 10:58:21 GMT-3
This explains it real well:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_
reference_chapter09186a00800ca7cf.html
When you add the access list to the verify line, packets which fail RPF
(source address isn't reachable over that interface) are checked against
the ACL. Permit ACEs will cause that packet to be forwarded, even
though it failed RPF. Might be useful for some non-symmetric routing
paths.
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
mani poopal
Sent: Friday, March 25, 2005 2:38 AM
To: ccielab@groupstudy.com
Subject: IP VERIFY UNICAST REVERSE PATH
Guys,
What is the main purpose of access-list at the end of the ip verify
unicast reverese-path(To drop packets without verifiable source address
)command. If I want to log denied packets is oprtion (1.) or option
(2.) is right. This access-list only for reverse path command and not
for access-group. So what is the correct sequense of checking this
access-list by the rpf router.
(1.)
int eth0/1/1
ip address 192.168.200.1 255.255.255.0
ip verify unicast reverse-path 197
access-list 197 deny ip any any
(2.)int eth0/1/1
ip address 192.168.200.1 255.255.255.0
ip verify unicast reverse-path 197
access-list 197 permit ip any any
B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
(416)431 9929
MANI_CCIE@YAHOO.COM
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:51 GMT-3