From: Victor Cappuccio (vcappuccio@desca.com)
Date: Tue Jan 23 2007 - 10:45:53 ART
Hi,
The topology is very easy to create
I have done this in Nicks Lab :D (hahaha Buddy Sorry for getting your
BGP Messed up)
(R5) -- f0/0.56 (R6) f0/0.67 -- (R7)
R6 is learning this
O 10.5.5.5/32 [110/2] via 192.168.67.7, 00:00:06,
FastEthernet0/0.67
From OSPF
And R5 is doing the following
R5#ping 7.7.7.7 so lo0 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
*Jan 23 13:58:57.226: NAT: s=5.5.5.5->10.5.5.5, d=7.7.7.7 [42476].
============
If we use the following Commands:
R6(config-subif)#ip verify unicast reverse-path 190
R6(config-subif)#access-list 190 permit ip any any log
R6(config)#
R6(config)#^Z
R6#
*Jan 23 13:52:54.723: %SEC-6-IPACCESSLOGDP: list 190 permitted icmp
10.5.5.5 -> 7.7.7.7 (0/0), 24 packets
============
And if Using This: access-list 190 deny ip any any log
*Jan 23 13:54:54.755: %SEC-6-IPACCESSLOGDP: list 190 denied icmp
10.5.5.5 -> 7.7.7.7 (0/0), 15 packets
===========
Parts from the UniverCD I think are good
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_r/fothercr/srfrpf.htm
Use the ip verify unicast reverse-path interface command to mitigate
problems caused by malformed or forged (spoofed) IP source addresses
that pass through a router
Unicast RPF can drop or forward the packet, depending on whether an ACL
is specified in the Unicast Reverse Path Forwarding command. If an ACL
is specified in the command, then when (and only when) a packet fails
the Unicast RPF check, the ACL is checked to see if the packet should be
dropped (using a deny statement in the ACL) or forwarded (using a permit
statement in the ACL).
If no ACL is specified in the Unicast Reverse Path Forwarding command,
the router drops the forged or malformed packet immediately and no ACL
logging occurs. The router and interface Unicast RPF counters are
updated.
HTH
Victor.-
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Allan
Sent: Tuesday, January 23, 2007 7:41 AM
To: ccielab@groupstudy.com
Subject: ip verify unicast
Hi,
if I want to drop packets with no source address and log them, which
access list could be use ?
ip verify unicast reverse-path 190
access-list 190 permit ip any any log
ip verify unicast reverse-path 191
access-list 191 deny ip any any log
===========
Using This:
R6(config)#no access-list 190 permit ip any any log
*Jan 23 13:38:35.795: %SEC-6-IPACCESSLOGDP: list 190 permitted icmp
10.5.5.5 -> 7.7.7.7 (0/0), 27 packets
R6(config)#access-list 190 deny ip any any log
R6(config)#
*Jan 23 13:38:56.247: %SEC-6-IPACCESSLOGDP: list 190 denied icmp
10.5.5.5 -> 7.7.7.7 (0/0), 1 packet
===========
Regards,
Min
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART