From: Philippe Couture (philippecouture@gmail.com)
Date: Fri Mar 25 2005 - 16:33:17 GMT-3
Hi Mani,
I may be wrong, but I believe that adding an access-list lets you
allow some packets to be forwarded even though they failed the URPF
test. If there is an access-list and the source address in the packet
matches the access-list permit statement, it will be forwarded.
Do you want to log packets denied by the URPF check or packets denied
by your access list ?
If you want to keep the default behavior of dropping the packets, and
you want to log them, I think you need to use your option (1), but add
the keyword "log-input" at the end of the deny statement.
Cheers,
Philippe
On Thu, 24 Mar 2005 23:38:05 -0800 (PST), mani poopal
<mani_ccie@yahoo.com> wrote:
> Guys,
>
> What is the main purpose of access-list at the end of the ip verify unicast reverese-path(To drop packets without verifiable source address )command. If I want to log denied packets is oprtion (1.) or option (2.) is right. This access-list only for reverse path command and not for access-group. So what is the correct sequense of checking this access-list by the rpf router.
>
> (1.)
> int eth0/1/1
> ip address 192.168.200.1 255.255.255.0
> ip verify unicast reverse-path 197
> access-list 197 deny ip any any
>
> (2.)int eth0/1/1
> ip address 192.168.200.1 255.255.255.0
> ip verify unicast reverse-path 197
> access-list 197 permit ip any any
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:52 GMT-3