Re: diff between ip verify unicast-rpf and " " " reachable-via

From: Brent Foster (jbrentfoster@yahoo.com)
Date: Sat Jun 10 2006 - 10:08:39 ART

• Next message: Petr Lapukhov: "Re: Methodology from Petr Lapukhov - part 4 and part 5"
• Previous message: Pierre-Alex: "Methodology from Petr Lapukhov - part 4 and part 5"
• Maybe in reply to: Petr Lapukhov: "Re: diff between ip verify unicast-rpf and " " " reachable-via"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Petr is correct. Also, there is an interesting
feature tied to the "reachable-via any" format. If
the source address is resolved to a Null interface,
then the packet is dropped. This enables source-based
black-hole filtering.

--Brent

--- Petr Lapukhov <petrsoft@gmail.com> wrote:

> Okay, now
>
> "ip verify unicast reverse-path" is an "old" format
> of uRPF command.
> It is functionally equivalent to more recent "ip
> verify unicast source
> reachable-via rx"
>
> "ip verify unicast source reachable-via any"
> defines uRPF "loose"
> mode, which requires that source ip should be
> reachable via any
> router's inteface, not the "rx"-one.
>
> HTH
> Petr
>
> 2006/6/10, rocco r21 <roccor21@hotmail.com>:
> >
> > ip verify unicast reachable-via according to cisco
> prevents spoofing. How
> > does this differ from ip verify unicast
> reverse-path? CCO is a bit vauge
> > on this.
> >
> >
>

• Next message: Petr Lapukhov: "Re: Methodology from Petr Lapukhov - part 4 and part 5"
• Previous message: Pierre-Alex: "Methodology from Petr Lapukhov - part 4 and part 5"
• Maybe in reply to: Petr Lapukhov: "Re: diff between ip verify unicast-rpf and " " " reachable-via"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART