RE: IP VERIFY UNICAST REVERSE PATH

From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Mar 25 2005 - 10:35:04 GMT-3

• Next message: Dennis J. Hartmann: "ATM ABR/UBR"
• Previous message: Carlos G Mendioroz: "Re: CCIE Company registration"
• Maybe in reply to: mani poopal: "IP VERIFY UNICAST REVERSE PATH"
• Next in thread: Church, Chuck: "RE: IP VERIFY UNICAST REVERSE PATH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Mani,

The acl at the end of the command is there to allow you to override the
default behavior of the command which is to drop packets that arrive on an
interface that's inconsistent with the interface specified in the route
table for the source address.

IOW, if the route table indicates that to get to net X use interface X and a
packet from net X arrives on interface Y, this command will drop the packet.

While this behavior usually doesn't cause any problems because the path in
is the same as the path, in cases were there's asymmetric routing paths,
this default behavior presents problems.

As a simplistic example, consider the situation where BGP traffic
engineering is setup such that incoming packets arrive at your AS on one
link but leave on another. In this case, the default behavior would drop
all those otherwise legit packets.

To change this default behavior, you'll need an acl where the permit
statements (I'm pretty sure), override the default behavior.

To log packets matching the acl statements, you need to add the log keyword
to the end of the acl statements.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of mani
poopal
Sent: Friday, March 25, 2005 2:38 AM
To: ccielab@groupstudy.com
Subject: IP VERIFY UNICAST REVERSE PATH

Guys,
 
What is the main purpose of access-list at the end of the ip verify unicast
reverese-path(To drop packets without verifiable source address )command.
If I want to log denied packets is oprtion (1.) or option (2.) is right.
This access-list only for reverse path command and not for access-group. So
what is the correct sequense of checking this access-list by the rpf router.
 
 
 (1.)
int eth0/1/1
 ip address 192.168.200.1 255.255.255.0
 ip verify unicast reverse-path 197
access-list 197 deny ip any any
 
(2.)int eth0/1/1
 ip address 192.168.200.1 255.255.255.0
 ip verify unicast reverse-path 197
access-list 197 permit ip any any
 
 
 

B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
(416)431 9929
MANI_CCIE@YAHOO.COM
                
---------------------------------
Do you Yahoo!?
 Yahoo! Small Business - Try our new resources site!

• Next message: Dennis J. Hartmann: "ATM ABR/UBR"
• Previous message: Carlos G Mendioroz: "Re: CCIE Company registration"
• Maybe in reply to: mani poopal: "IP VERIFY UNICAST REVERSE PATH"
• Next in thread: Church, Chuck: "RE: IP VERIFY UNICAST REVERSE PATH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:51 GMT-3