Hi Ben, Did you turn on logging on your ACL? It seems to be working without log but I was trying to log the uRPF failed packets.
Regards, Christophe On 02 Feb 2012, at 11:43, Ben Hughes wrote: > Hi Christophe, > > I just lab'd this up and it worked fine. When I applied the ACL my pings > that were previously dropped were allowed through. I didn't get a response > as the response was being sent through to R1 but if you turn on debug ip icmp > on R2 you should see if working. > > cheers, > Ben. > > From: Christophe Lemaire > <[email protected]<mailto:[email protected]>> > Date: Thu, 2 Feb 2012 11:28:41 +0100 > To: "<[email protected]<mailto:[email protected]>>" > <[email protected]<mailto:[email protected]>> > Subject: [OSL | CCIE_RS] ip verify unicast source reachable-via > > Hi, > > I have some trouble with "ip verify unicast source reachable-via " command. > > I've well understood the difference between "ip verify unicast source > reachable-via rx" and "ip verify unicast source reachable-via any". The first > one is a strict mode and check the source is well reachable via the receiving > interface while the second just check the source has a route in the FIB. > > But where I'm a bit lost is when you add an ACL after the command. The > documentation says the ACL is checked if the uRPF fails, if the source IP > matches a deny statement the packet is dropped, if it matches a permit > statement it is forwarded even though it failed the uRPF. I think I've > understood that part but I seem unable to make it work on real gear… > > Here is what I did: > > R1---(f0/1) R2 (f0/0)---R3 > > R1 and R3 have a loopback 200.0.0.1/32 > R1 advertise it to R2, > R2 advertise it to R3, > R3 do not advertise it to anyone. > > If I ping R2's loopback (200.0.0.2) from R3 with 200.0.0.1 as source, I see > that packet arriving on int f0/0 and response are going out to f0/1. (Normal) > > If I configure "ip verify unicast source reachable-via rx" on R2's f0/0 > interface, the packet are simply dropped. > > Now If I configure "ip verify unicast source reachable-via rx 1" and > "access-list 1 permit any log", I would expect the packet to not be dropped > but only logged and the response to be sent out interface f0/1 as without > uRPF at all. However R2 still drop the packets and do not log anything… > > But if I do the same without logging on the ACL it works as expected (i.e. > forward)… > > From DocCD : > > "If no ACL is specified in the ip verify unicast source reachable-via > command, the router drops the forged or malformed packet immediately, and no > ACL logging occurs. The router and interface Unicast RPF counters are updated. > Unicast RPF events can be logged by specifying the logging option for the ACL > entries that are used by the ip verify unicast source reachable-via command. > Log information can be used to gather information about the attack, such as > source address, time, and so on." > > Did I miss something? > > Best regards, > Christophe > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
