Re: ip verify unicast

From: Salman Abbas (dukelondon@gmail.com)
Date: Tue Jan 23 2007 - 10:51:21 ART

• Next message: Jo Johnson: "advertise EIGRP internal route as external"
• Previous message: Victor Cappuccio: "RE: ip verify unicast"
• Maybe in reply to: Allan : "ip verify unicast"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Allan,

Sorry. Just want to correct myself. Read the following:

If an ACL is specified in the command, then when (and only when) a packet
fails the Unicast RPF check, the ACL is checked to see if the packet should
be dropped (using a deny statement in the ACL) or forwarded (using a permit
statement in the ACL). Whether a packet is dropped or forwarded, the packet
is counted in the global IP traffic statistics for Unicast RPF drops and in
the interface statistics for Unicast RPF.

If no ACL is specified in the Unicast RPF command, the router drops the
forged or malformed packet immediately and no ACL logging occurs. The router
and interface Unicast RPF counters are updated.

On 1/23/07, Salman Abbas <dukelondon@gmail.com> wrote:
>
> Hi Allan,
>
> If you want to drop the packets whose source address is not in your
> routers Forwarding Table, you must use deny ip any any in the ACL. It doesnt
> matter whether or not you want to log.
>
> HTH,
>
> Salman
>
>
> On 1/23/07, Allan <mincisco@gmail.com> wrote:
> >
> > Hi Ivan
> >
> > How about if do not need to log. does need the access-list ?
> >
> > like ip verify unicast reverse-path
> >
> >
> >
> >
> >
> >
> > On 1/23/07, Ivan <ivan@iip.net> wrote:
> > >
> > > 191.
> > >
> > > ip verify unicast permit all packet passed check. Also this command
> > permit
> > > or
> > > deny packet from ACL depends on action.
> > >
> > > On Tuesday 23 January 2007 14:40, Allan wrote:
> > > > Hi,
> > > >
> > > > if I want to drop packets with no source address and log them,
> > which
> > > > access list could be use ?
> > > >
> > > > ip verify unicast reverse-path 190
> > > > access-list 190 permit ip any any log
> > > >
> > > >
> > > > ip verify unicast reverse-path 191
> > > > access-list 191 deny ip any any log
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Min
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > --
> > > Ivan
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Jo Johnson: "advertise EIGRP internal route as external"
• Previous message: Victor Cappuccio: "RE: ip verify unicast"
• Maybe in reply to: Allan : "ip verify unicast"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART