Hi, I have some trouble with "ip verify unicast source reachable-via " command.
I've well understood the difference between "ip verify unicast source reachable-via rx" and "ip verify unicast source reachable-via any". The first one is a strict mode and check the source is well reachable via the receiving interface while the second just check the source has a route in the FIB. But where I'm a bit lost is when you add an ACL after the command. The documentation says the ACL is checked if the uRPF fails, if the source IP matches a deny statement the packet is dropped, if it matches a permit statement it is forwarded even though it failed the uRPF. I think I've understood that part but I seem unable to make it work on real gear… Here is what I did: R1---(f0/1) R2 (f0/0)---R3 R1 and R3 have a loopback 200.0.0.1/32 R1 advertise it to R2, R2 advertise it to R3, R3 do not advertise it to anyone. If I ping R2's loopback (200.0.0.2) from R3 with 200.0.0.1 as source, I see that packet arriving on int f0/0 and response are going out to f0/1. (Normal) If I configure "ip verify unicast source reachable-via rx" on R2's f0/0 interface, the packet are simply dropped. Now If I configure "ip verify unicast source reachable-via rx 1" and "access-list 1 permit any log", I would expect the packet to not be dropped but only logged and the response to be sent out interface f0/1 as without uRPF at all. However R2 still drop the packets and do not log anything… But if I do the same without logging on the ACL it works as expected (i.e. forward)… >From DocCD : "If no ACL is specified in the ip verify unicast source reachable-via command, the router drops the forged or malformed packet immediately, and no ACL logging occurs. The router and interface Unicast RPF counters are updated. Unicast RPF events can be logged by specifying the logging option for the ACL entries that are used by the ip verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on." Did I miss something? Best regards, Christophe _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
