From: mani poopal (mani_ccie@yahoo.com)
Date: Fri Mar 25 2005 - 15:44:45 GMT-3
Hi Guys,
Thanks for all the replies and your very good explanations. So the acl is validated only if RPF fails. If I want to log all denied packets with RPF, I think following configurations are ok.
-if)#ip verify unicast reverse-path 111
acl 101 deny ip any any
Mani
Jongsoo.Kim@Intelsat.com wrote:
I think the sequence of " ip verify unicast reverse-path 197" is
1) it will allow any traffic whose RPF is valid.
2)it will refer any traffic whose RPF is not valid to access-list 197 for
further action.
3)in option 1), ACL 197 will drop the packet and int option 2), it will
permit packets.
W/o "197", "ip verify unicast reverse-path" will do above 1), and in 2),
will drop all invalid packet.
HTH
Jongsoo
-----Original Message-----
From: mani poopal [mailto:mani_ccie@yahoo.com]
Sent: Friday, 25 March, 2005 2:38 AM
To: ccielab@groupstudy.com
Subject: IP VERIFY UNICAST REVERSE PATH
Guys,
What is the main purpose of access-list at the end of the ip verify unicast
reverese-path(To drop packets without verifiable source address )command.
If I want to log denied packets is oprtion (1.) or option (2.) is right.
This access-list only for reverse path command and not for access-group. So
what is the correct sequense of checking this access-list by the rpf router.
(1.)
int eth0/1/1
ip address 192.168.200.1 255.255.255.0
ip verify unicast reverse-path 197
access-list 197 deny ip any any
(2.)int eth0/1/1
ip address 192.168.200.1 255.255.255.0
ip verify unicast reverse-path 197
access-list 197 permit ip any any
B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
(416)431 9929
MANI_CCIE@YAHOO.COM
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:51 GMT-3