Good afternoon Johnny and team,
Additoinal items I am going to try and test tonight, tomorrow and Sunday
are:
2.80 Implement Performance Routing (PfR) and Cisco Optimized Edge Routing
(OER)
10.03 Implement NetFlow
10.06 Implement Cisco IOS Embedded Event Manager (EEM)
Any thoughts on doing so?
I am going through the blueprint and either making sure I understand / know
how-to, or trying to lab up. I also want to make sure I can find these
topics on the doc cd ... not always an easy task either. ;-)
Andrew
On Fri, Oct 23, 2009 at 1:54 PM, Johnny B CCIE <jbccie_at_gmail.com> wrote:
> What other things would you like to test?
>
>
> On Thu, Oct 22, 2009 at 10:56 PM, ALL From_NJ <all.from.nj_at_gmail.com>
> wrote:
> > Many thanks for the tips. Yep, that is a pretty neat test too.
> >
> > The uRPF feature keeps this from being a problem ... nice feature for
> > keeping spoofed (or mis-configured) addresses from causing problems. I
> would
> > think this could be an administrative nightmare depending on where you
> > enabled it.
> >
> > Thanks.
> >
> > Any other thoughts on placement or ways to test / learn?
> >
> >
> > On Thu, Oct 22, 2009 at 10:43 PM, Johnny B CCIE <jbccie_at_gmail.com>
> wrote:
> >>
> >> Sorry, I answered too quickly. You are doing the example fine as it
> >> is. If you can ping from the source or "spoofed" address then the
> >> access-list is working as intended and if you remove it and it is
> >> blocking the "spoofed" local interface then it is also working as
> >> intended. To test further create a loop on the farside with a local
> >> side address and then try to see what happens, either with or without
> >> the acl you should see the results. You may want to debug ip packet to
> >> watch the fun.
> >>
> >> On Thu, Oct 22, 2009 at 10:39 PM, Johnny B CCIE <jbccie_at_gmail.com>
> wrote:
> >> > Don't filter yourself. Use the ? after the command and you will see
> >> > you have options.
> >> >
> >> > On Thu, Oct 22, 2009 at 9:23 PM, ALL From_NJ <all.from.nj_at_gmail.com>
> >> > wrote:
> >> >> Team,
> >> >>
> >> >> Can I get a sanity check from you all? Pretty please with sugar?
> ;-)
> >> >>
> >> >> My test:
> >> >>
> >> >> R1 connected to SW1
> >> >> R2 connected to SW1
> >> >>
> >> >> Can ping no problem, baseline looks good, no worries.
> >> >>
> >> >> Add the command on R2: ip ver unicast reverse-path
> >> >>
> >> >> Then I type the command: "show ip traffic | in drop"
> >> >> 0 no route, 10 unicast RPF, 0 forced drop
> >> >>
> >> >> For every ping from R1, I see this RPF counter increasing, so I know
> >> >> that
> >> >> RPF is dropping packets after I add the command.
> >> >>
> >> >> When I add an access list permitting the 'spoofed source' then the
> RPF
> >> >> counter does not increase, which is also how I test if I have this
> >> >> configured right.
> >> >>
> >> >> Any additional thoughts on how to test this feature? Seems fairly
> easy
> >> >> to
> >> >> test, only 2 routers are needed w/ crossover or a switch in the
> middle.
> >> >>
> >> >> Question about the placement of this command: should I put this
> >> >> anywhere in
> >> >> my network that I think I might get spoofed addresses? As I
> understand
> >> >> it,
> >> >> as long as I have a route (default or specific) that the traffic will
> >> >> pass
> >> >> ok.
> >> >>
> >> >> If I do not have a route, I can either add a route or configure and
> >> >> access
> >> >> list and permit this seemingly 'spoofed' address.
> >> >>
> >> >> Appreciate your thoughts team!
> >> >>
> >> >> --
> >> >> Andrew Lee Lissitz
> >> >> all.from.nj_at_gmail.com
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> > --
> > Andrew Lee Lissitz
> > all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Fri Oct 23 2009 - 15:28:53 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART