From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Feb 01 2007 - 20:20:25 ART
Hi Jim,
What version are you running? There some registered bugs for
this feature in 12.2T and 12.3:
CSCin39333 Bug Details
Headline uRPF drops packet even if it is permitted in the
access-list
Product IOS
Feature CEF/DCEF/FIB Duplicate of
Severity 3 Severity help Status Resolved Status help
First Found-in Version 12.3(0.1) All affected versions First
Fixed-in Version 12.3(0.5), 12.3(0.5)T, 12.3(0.5)B,
12.3(0.5)BW03 Version help
Release Notes
Symptom
Using IP uRPF with an Access List that has logging enabled, may cause
traffic to be incorrectly dropped.
Workaround
There is no workaround.
CSCeg06652 Bug Details
Headline uRPF does not work ACL log
Product IOS
Feature CEF/DCEF/FIB Duplicate of CSCin39333
Severity 3 Severity help Status Duplicate Status help
First Found-in Version 12.2(15)T05 All affected versions First
Fixed-in Version Version help
Release Notes
Symptoms: Cisco Express Forwarding (CEF) will drop all packets including
permitted packets or denied packets.
Conditions: This symptom is observed when Unicast Reverse Path
Forwarding
(URPF) is configured with an access control list (ACL) that has a log
option.
Workaround: There is no workaround.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP)
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jim White
Sent: Thursday, February 01, 2007 4:40 PM
To: ccielab@groupstudy.com; jim.t.white@gmail.com
Subject: Question Re: "ip verify unicast" feature in IOS
Hi Groupstudy,
I am a little confused about the operation of the ip verify source
feature
in IOS. In the following example I want to log an entry if the source
lookup
fails.
For example, my intrepretation of the configuration below is that it
will
perform the source lookup for all sources (permit any) and generate a
syslog
message if the source lookup fails.
I have tested this with little success other than some output at the end
of
"show ip interface serial 0/0" which suggests its doing what it should.
#------- Config Output ------#
ip cef
access-list 1 permit any log
!
interface Serial0/0
ip verify unicast source reachable-via rx 1
#--- End of Config Output ---#
After some testing..
R1#show ip interface serial 0/0
Serial0/0 is up, line protocol is up
(Output Removed)
IP verify source reachable-via RX, ACL 1
20 verification drops
0 suppressed verification drops
R1#
Thanks for any input/clarification,
Jim White
(Cork, Ireland)
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:45 ART