RE: IP VERIFY UNICAST REVERSE PATH

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Mar 25 2005 - 19:14:19 GMT-3

• Next message: Richard Dumoulin: "crypto-map and CEF"
• Previous message: Tony Schaffran: "RE: Need help on VPN problem"
• Maybe in reply to: mani poopal: "IP VERIFY UNICAST REVERSE PATH"
• Next in thread: mani poopal: "RE: IP VERIFY UNICAST REVERSE PATH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mani,

        This feature does not work in the 12.2T trains. I have verified
this both with the CLI config and in the bug toolkit:

CSCeg06652 Bug Details
   
Headline uRPF does not work ACL log
Product all Model
Component fib Duplicate of CSCin39333
Severity 3 Severity help Status Duplicate Status help
First Found-in Version 12.2(15)T05 All affected versions First
Fixed-in Version Version help
Release Notes
 
Symptoms: Cisco Express Forwarding (CEF) will drop all packets including

permitted packets or denied packets.

Conditions: This symptom is observed when Unicast Reverse Path
Forwarding
(URPF) is configured with an access control list (ACL) that has a log
option.

Workaround: There is no workaround.
 
 
HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> mani poopal
> Sent: Friday, March 25, 2005 1:38 AM
> To: ccielab@groupstudy.com
> Subject: IP VERIFY UNICAST REVERSE PATH
>
> Guys,
>
> What is the main purpose of access-list at the end of the ip verify
> unicast reverese-path(To drop packets without verifiable source
address
> )command. If I want to log denied packets is oprtion (1.) or option
(2.)
> is right. This access-list only for reverse path command and not for
> access-group. So what is the correct sequense of checking this
access-
> list by the rpf router.
>
>
> (1.)
> int eth0/1/1
> ip address 192.168.200.1 255.255.255.0
> ip verify unicast reverse-path 197
> access-list 197 deny ip any any
>
> (2.)int eth0/1/1
> ip address 192.168.200.1 255.255.255.0
> ip verify unicast reverse-path 197
> access-list 197 permit ip any any
>
>
>
>
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
>
>

• Next message: Richard Dumoulin: "crypto-map and CEF"
• Previous message: Tony Schaffran: "RE: Need help on VPN problem"
• Maybe in reply to: mani poopal: "IP VERIFY UNICAST REVERSE PATH"
• Next in thread: mani poopal: "RE: IP VERIFY UNICAST REVERSE PATH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:52 GMT-3