From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Feb 01 2007 - 20:20:25 ART
Hi Jim,
        What version are you running?  There some registered bugs for
this feature in 12.2T and 12.3:
CSCin39333 Bug Details  	
                
Headline 	 uRPF drops packet even if it is permitted in the
access-list
Product 	 IOS
Feature 	 CEF/DCEF/FIB 	Duplicate of 	 
Severity 	 3  Severity help 	Status 	 Resolved  Status help
First Found-in Version 	 12.3(0.1)   All affected versions 	First
Fixed-in Version 	 12.3(0.5), 12.3(0.5)T, 12.3(0.5)B,
12.3(0.5)BW03  Version help
Release Notes
 
Symptom
Using IP uRPF with an Access List that has logging enabled, may cause
traffic to be incorrectly dropped.
Workaround
There is no workaround.
CSCeg06652 Bug Details  	
                
Headline 	 uRPF does not work ACL log
Product 	 IOS
Feature 	 CEF/DCEF/FIB 	Duplicate of 	CSCin39333
Severity 	 3  Severity help 	Status 	 Duplicate  Status help
First Found-in Version 	 12.2(15)T05   All affected versions 	First
Fixed-in Version 	   Version help
Release Notes
 
Symptoms: Cisco Express Forwarding (CEF) will drop all packets including
permitted packets or denied packets.
Conditions: This symptom is observed when Unicast Reverse Path
Forwarding
(URPF) is configured with an access control list (ACL) that has a log
option.
Workaround: There is no workaround.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP)
bmcgahan@internetworkexpert.com 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jim White
Sent: Thursday, February 01, 2007 4:40 PM
To: ccielab@groupstudy.com; jim.t.white@gmail.com
Subject: Question Re: "ip verify unicast" feature in IOS
Hi Groupstudy,
I am a little confused about the operation of the ip verify source
feature
in IOS. In the following example I want to log an entry if the source
lookup
fails.
For example, my intrepretation of the configuration below is that it
will
perform the source lookup for all sources (permit any) and generate a
syslog
message if the source lookup fails.
I have tested this with little success other than some output at the end
of
"show ip interface serial 0/0" which suggests its doing what it should.
#------- Config Output ------#
ip cef
access-list 1 permit any log
!
interface Serial0/0
ip verify unicast source reachable-via rx 1
#--- End of Config Output ---#
After some testing..
R1#show ip interface serial 0/0
Serial0/0 is up, line protocol is up
(Output Removed)
  IP verify source reachable-via RX, ACL 1
  20 verification drops
  0 suppressed verification drops
R1#
Thanks for any input/clarification,
Jim White
(Cork, Ireland)
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:45 ART