From: gladston@br.ibm.com
Date: Thu Apr 28 2005 - 17:34:35 GMT-3
IOS is not working as expected when log is used on ACL called by RPF check.
It does not work if acl is specified this way:
access-list 130 permit icmp h 172.16.2.1 h 172.16.6.1
or
access-list 130 permit ip h 172.16.2.1 h 172.16.6.1
But works if specified this way:
access-list 130 permit ip any any
Now, if log is specified, it does not work:
access-list 130 permit ip any any
Tested on 12.2T, 2600 and 3600 routers.
Removing reverse check and configuring ip access-group with access-list 130 revels that access-list is correct
The problem seems to be reverse check in conjunction with acl.
This is the summary of the result monitoring that follows:
permit icmp h 172.16.2.1 h 172.16.6.1 --> does not cause packet to be forwarded
permit ip any any --> cause packet to be forwarded
permit ip any any log --> does not cause packet to be forwarded
I could not find reference on this on Cisco or Google or Deal's book. On the opposite hand, there are plenty of docs saying it
works fine.
Could you test it?
The basic config is just:
ip cef
!
int e0/1 (also used ATM) (tested on 3600 and 2600, 12.2T)
ip verify unicast source reachable-via rx 130
!
access-list 130 permit ip any any log (this was tested without log and for specific host)
Monitoring:
with access-list 130 permit icmp h 172.16.2.1 h 172.16.6.1
You can see that verification drops are incremented and suppressed verification drops are not.
Ethernet0/1 is up, line protocol is up
Internet address is 150.100.2.5/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, No CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, ACL 130
131 verification drops
0 suppressed verification drops
r5(config)#do sh ip int e0/1
Ethernet0/1 is up, line protocol is up
Internet address is 150.100.2.5/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, No CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, ACL 130
132 verification drops
0 suppressed verification drops
With access-list 130 permit ip any any.
You can see that verification drops does not incremented and suppressed verification drops does.
r5(config-if)#do sh ip int e0/1
Ethernet0/1 is up, line protocol is up
Internet address is 150.100.2.5/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, ACL 130
0 verification drops
38 suppressed verification drops
r5(config-if)#access-list 130 per ip any any
r5(config)#
r5(config)#do sh ip int e0/1
Ethernet0/1 is up, line protocol is up
Internet address is 150.100.2.5/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, ACL 130
0 verification drops
40 suppressed verification drops
If does not matter if using old way or new way:
r5(config)#int e0/1
r5(config)#no ip access-list 130
r5(config)#access-list 130 permit icmp h 172.16.2.1 h 172.16.6.1
r5(config-if)#ip verify unicast reverse-path 130
r5(config-if)#do sh ip int e0/1
Ethernet0/1 is up, line protocol is up
Internet address is 150.100.2.5/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, allow default, ACL 130
4 verification drops
0 suppressed verification drops
r5(config-if)#
*Mar 1 03:10:40.229: %BGP-5-ADJCHANGE: neighbor 150.100.2.254 Up
r5(config-if)#do sh ip int e0/1
Ethernet0/1 is up, line protocol is up
Internet address is 150.100.2.5/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, allow default, ACL 130
6 verification drops
0 suppressed verification drops
Changing to another router, 3600 this time (same behavior)
r6(config)#do sh ip int atm 1/0.69
ATM1/0.69 is up, line protocol is up
Internet address is 150.100.3.6/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 4470 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, ACL 130
13 verification drops
7 suppressed verification drops
r6(config)#
r6(config)#do sh access-list 130
Extended IP access list 130
10 permit ip any any (7 matches)
With permit ip any any and log keyword.
You can see that verification drops incremented and suppressed verification drops does not.
r6(config)#no access-list 130 per ip any any
r6(config)# access-list 130 per ip any any log
r6(config)#do sh ip int atm 1/0.69
ATM1/0.69 is up, line protocol is up
Internet address is 150.100.3.6/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 4470 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, ACL 130
16 verification drops
0 suppressed verification drops
r6(config)#do sh ip int atm 1/0.69
ATM1/0.69 is up, line protocol is up
Internet address is 150.100.3.6/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 4470 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP verify source reachable-via RX, ACL 130
18 verification drops
0 suppressed verification drops
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:10 GMT-3