RE: IP VERIFY UNICAST REVERSE PATH

From: jenseike (jenseike@start.no)
Date: Fri Mar 25 2005 - 11:43:19 GMT-3

• Next message: Richard Dumoulin: "crypto-map and CEF"
• Previous message: Sundar Palaniappan: "Re: IP VERIFY UNICAST REVERSE PATH"
• Maybe in reply to: mani poopal: "IP VERIFY UNICAST REVERSE PATH"
• Next in thread: Jongsoo.Kim@Intelsat.com: "RE: IP VERIFY UNICAST REVERSE PATH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi ,

OK, se if I can explain this to you. The access-list tells the router what
to do with the packet if the routers fails the Unicast RPF. The acl is
checked to see if the packet should be dropped with an deny statement or
forwarded with an permit statement. If no acl is defined the router drops
the packed if Unicast RFP dont apply. If you want to log packets then you
should have log statement after the avl, but what statement of yours are
correct are depended on what you want to do with the packets.

If you want to log packets that fails URPF and permit for ex ip oackets
anyway the this will be the correct way :

int eth0/1/1
 ip address 192.168.200.1 255.255.255.0
 ip verify unicast reverse-path 197
access-list 197 permit ip any any

If oyu want to deny the same packets, and at the same time get this pakets
log then this is the correct :

int eth0/1/1
 ip address 192.168.200.1 255.255.255.0
 ip verify unicast reverse-path 197
access-list 197 deny ip any any

Hope that clearifyed that for you..

Regards
Jens Petter

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
mani poopal
Sent: 25. mars 2005 08:38
To: ccielab@groupstudy.com
Subject: IP VERIFY UNICAST REVERSE PATH

Guys,

What is the main purpose of access-list at the end of the ip verify unicast
reverese-path(To drop packets without verifiable source address )command.
If I want to log denied packets is oprtion (1.) or option (2.) is right.
This access-list only for reverse path command and not for access-group. So
what is the correct sequense of checking this access-list by the rpf router.

 (1.)
int eth0/1/1
 ip address 192.168.200.1 255.255.255.0
 ip verify unicast reverse-path 197
access-list 197 deny ip any any

(2.)int eth0/1/1
 ip address 192.168.200.1 255.255.255.0
 ip verify unicast reverse-path 197
access-list 197 permit ip any any

B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
(416)431 9929
MANI_CCIE@YAHOO.COM

---------------------------------
Do you Yahoo!?
 Yahoo! Small Business - Try our new resources site!

• Next message: Richard Dumoulin: "crypto-map and CEF"
• Previous message: Sundar Palaniappan: "Re: IP VERIFY UNICAST REVERSE PATH"
• Maybe in reply to: mani poopal: "IP VERIFY UNICAST REVERSE PATH"
• Next in thread: Jongsoo.Kim@Intelsat.com: "RE: IP VERIFY UNICAST REVERSE PATH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:51 GMT-3