From: Tim (ccie2be@nyc.rr.com)
Date: Sun Dec 18 2005 - 21:12:53 GMT-3
Ray,
Yep, this logic can be very confusing. It took me a while to "get it".
Here's the deal:
When you config the verify reverse-path command without an acl, you're
telling the router to drop any packet that comes into this interface
(remember this is an interface command) that shouldn't based on the route
table.
Normally, this works fine as long as routing is symmetric ie packets take
the same transit path coming and going. But, suppose this isn't true.
Suppose that a router sends a packet to the right (int e0) to get to a given
destination but packets from that same destination come into the router from
the left (int s0). In this situation, the ip verify reverse-path command if
placed on the "left" interface would drop those packets.
That wouldn't be a good thing.
This is where the acl comes in. You use this acl to over ride the default
behavior of the ip verify reverse-path command and a "permit" entry tells
the router to over ride the verify command.
IOW, the acl s/b interpreted as saying this - "Permit these packets that ip
verify would drop to come in anyway."
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
22Cent@gmail.com
Sent: Wednesday, November 30, 2005 12:24 PM
To: Group Study
Subject: Unicast Reverse Path -ACL
Hi Group,
Quick question. If i want to log all packets that fail the RPF check would i
use a permit or deny statement ? Trying to understand the logic.
R1(config-if)#ip verify unicast reverse-path 122
R1(config)#access-list 122 deny ip any any log-input
or
R1(config)#access-list 122 permit ip any any log-input
TIA
Ray
This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3