Hi Christophe, The "permitted by ACL x" log message is what I got as well. Sorry I didn't mean I literally got "failed uRPF but permitted by ACL" in the log – I was just describing the traffic :) No idea why it didn't work on Proctorlab's equipment.
cheers, Ben. From: Christophe Lemaire <[email protected]<mailto:[email protected]>> Date: Fri, 3 Feb 2012 15:16:59 +0100 To: Ben Hughes <[email protected]<mailto:[email protected]>> Cc: OSL and Switching Routing <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_RS] ip verify unicast source reachable-via Hi Ben, Weird... I did it again on Protorlab's equipments and it doesn't work... But I tried it on GNS and it works... I don't have the log you mention though... I just have the classical ACL "denied or permitted by ACL x". Regards, Christophe On 02 Feb 2012, at 22:59, Ben Hughes wrote: Hi Christophe, Yes, I had logging on and have an entry in the log for the "failed uRPF but permitted by ACL" traffic. My config on R2 was: access-list 7 permit 200.0.0.1 log int f0/0 ip verify uni source reach via rx 7 cheers, Ben. From: Christophe Lemaire <[email protected]<mailto:[email protected]><mailto:[email protected]>> Date: Thu, 2 Feb 2012 17:39:13 +0100 To: Ben Hughes <[email protected]<mailto:[email protected]><mailto:[email protected]>> Cc: "<[email protected]<mailto:[email protected]><mailto:[email protected]>>" <[email protected]<mailto:[email protected]><mailto:[email protected]>> Subject: Re: [OSL | CCIE_RS] ip verify unicast source reachable-via Hi Ben, Did you turn on logging on your ACL? It seems to be working without log but I was trying to log the uRPF failed packets. Regards, Christophe On 02 Feb 2012, at 11:43, Ben Hughes wrote: Hi Christophe, I just lab'd this up and it worked fine. When I applied the ACL my pings that were previously dropped were allowed through. I didn't get a response as the response was being sent through to R1 but if you turn on debug ip icmp on R2 you should see if working. cheers, Ben. From: Christophe Lemaire <[email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]>> Date: Thu, 2 Feb 2012 11:28:41 +0100 To: "<[email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]>>" <[email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]>> Subject: [OSL | CCIE_RS] ip verify unicast source reachable-via Hi, I have some trouble with "ip verify unicast source reachable-via " command. I've well understood the difference between "ip verify unicast source reachable-via rx" and "ip verify unicast source reachable-via any". The first one is a strict mode and check the source is well reachable via the receiving interface while the second just check the source has a route in the FIB. But where I'm a bit lost is when you add an ACL after the command. The documentation says the ACL is checked if the uRPF fails, if the source IP matches a deny statement the packet is dropped, if it matches a permit statement it is forwarded even though it failed the uRPF. I think I've understood that part but I seem unable to make it work on real gear… Here is what I did: R1---(f0/1) R2 (f0/0)---R3 R1 and R3 have a loopback 200.0.0.1/32 R1 advertise it to R2, R2 advertise it to R3, R3 do not advertise it to anyone. If I ping R2's loopback (200.0.0.2) from R3 with 200.0.0.1 as source, I see that packet arriving on int f0/0 and response are going out to f0/1. (Normal) If I configure "ip verify unicast source reachable-via rx" on R2's f0/0 interface, the packet are simply dropped. Now If I configure "ip verify unicast source reachable-via rx 1" and "access-list 1 permit any log", I would expect the packet to not be dropped but only logged and the response to be sent out interface f0/1 as without uRPF at all. However R2 still drop the packets and do not log anything… But if I do the same without logging on the ACL it works as expected (i.e. forward)… >From DocCD : "If no ACL is specified in the ip verify unicast source reachable-via command, the router drops the forged or malformed packet immediately, and no ACL logging occurs. The router and interface Unicast RPF counters are updated. Unicast RPF events can be logged by specifying the logging option for the ACL entries that are used by the ip verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on." Did I miss something? Best regards, Christophe _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
