Re: Drop Traffic from William McCall on 2009-07-18 (Ccielab archives 07/2009)

From: William McCall <william.mccall_at_gmail.com>
Date: Sat, 18 Jul 2009 12:04:59 -0500

Int s0/0
ip verify-unicast source reachable-via any [acl]

access-list [acl] deny ip any any log-input

http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_i3.html#wp1060585

ip verify unicast reverse-path 101 is the same as ip verify unicast
source reachable-via rx 101. But these mean that you will only accept
the packet if it comes in the interface that you have as an installed
route. This is strict mode uRPF

You asked: " How to configure drop any traffic received that doesnot
have corresponding entry in routing table? [sic]"

This would imply (in that usage) that you wish to permit traffic that
has ANY routing table entry, not necessarily one that goes out the
same interface that it comes in on. In this case, you want loose mode
uRPF.

Finally, you need the log-input on your deny statement. This will
provide the logging that you want.

--William McCall

On Sat, Jul 18, 2009 at 11:34 AM, kaniyath
minha<minha.kaniyath_at_gmail.com> wrote:
> sorry i want to log this also
>
> On Sat, Jul 18, 2009 at 7:18 PM, William McCall <william.mccall_at_gmail.com>
> wrote:
>>
>> You don't need an access list. And the correct is "ip verify unicast
>> source reachable-via any"
>>
>> --William McCall
>>
>> On Sat, Jul 18, 2009 at 11:14 AM, kaniyath
>> minha<minha.kaniyath_at_gmail.com> wrote:
>> > Dear
>> >
>> >
>> > How to configure drop any traffic received that doesnot have
>> > corresponding
>> > entry in routing table?
>> >
>> > The following is my configurations.Which one is best solution
>> >
>> > Solution 1
>> >
>> > #interface ser 0/0
>> > #ip verify unicast reverse-path 101
>> >
>> > #ip access-list 101 deny ip any any
>> >
>> >
>> >
>> >
>> > Solution 2
>> >
>> > #interface ser 0/0
>> > #ip verify unicast source reachable-via rx 101
>> >
>> > #ip access-list 101 deny ip any any
>> >
>> >
>> >
>> >
>> >
>> >
>> > Thanks and Regards
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jul 18 2009 - 12:04:59 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:22 ART