Rodrigo,
That sounds about right, the ACL is checked if RPF fails. If the ACL permits
the packet, it is still forwarded.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1060730
Any easy way to test to test is to connect 3 routers in a mesh. R1,R2, and
R3:
R1 has a route towards R2 for R3's loopback.
R2 has a route towards R3 for R1's loopback.
R3 has a route towards R1 for R1's loopback (through their connected
interface)
This allows packets to flow from R1 (source loopback) ->R2->R3, while
failing the RPF check on R2. On R2, put the RPF statements. Then play with
the ACL to verify the proper operation, enable logging as well.
Maybe you could also just have two router connected B2B with 2 interfaces,
but the above is the way I tested it :-)
On Mon, Jun 22, 2009 at 7:19 PM, Rodrigo Marchina Soares <
gudines_at_terra.com.br> wrote:
> Hi,
>
> Can somebody explain better spoofing with uRPF?
>
> Let me see if I understood:
>
>
> ! access-list to permit one network spoofing and log any other violation
> network Access-list 100 permit ip 10.10.10.0 0.0.0.255 Access-list 100 deny
> ip any any log
>
> ! applying in upstream link
> Interface S0/0
> Ip verify unicast source reachable-via any 100
>
> ! applying uRPF to internal interface
> Interface e0/0
> Ip verify unicast source reachable-via rx 100
>
>
> Thanks
> Gudines
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Bryan Bartik CCIE #23707 (R&S), CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com Blogs and organic groups at http://www.ccie.netReceived on Mon Jun 22 2009 - 20:57:59 ART
This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART