Mike wrote: > Gang, > > I have a 3725 with some t1 interfaces. I want to be a good netizen and > establish urpf on my customer facing interfaces to ensure they can't > send me spoofed traffic. When I enable 'ip verify unicast source > reachable-via rx' however, suddenly I can't ping the router on the other > side. Here's the relevant configs: > > > interface Serial0/0 > ip unnumbered Loopback0 > ip access-group egress-antispoof out > service-module t1 clock source internal > service-module t1 remote-alarm-enable > service-module t1 fdl both > end > > ip route x.x.74.0 255.255.255.248 Serial0/0 > > ip access-list extended egress-antispoof > deny ip 10.0.0.0 0.255.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny ip 127.0.0.0 0.255.255.255 any > deny ip 224.0.0.0 31.255.255.255 any > deny ip 169.254.0.0 0.0.255.255 any > deny ip 240.0.0.0 15.255.255.255 any > permit ip any any > > > > > Yes in my route table I have a directly connected route as per above: > > Known via "static", distance 1, metric 0 (connected) > Redistributing via ospf 1 > Advertised by ospf 1 subnets > Routing Descriptor Blocks: > * directly connected, via Serial0/0 > Route metric is 0, traffic share count is 1 > > I am pinging from the router cli to x.x.74.1 and with the 'ip verify > unicast' enabled, packets seem to be dropped. My expectation is simply > that the above static route should be enough to tell 'ip verify' to > allow x.x.74.0/29 as a source on this interface. Does anyone know what > the deal might be?
Hi Mike, It's not clear to me whether you are pinging from CPE->you or you->CPE. Is this serial link the only connection that the CPE has? Do you have uRPF enabled on your side, as well as the CPE? ...and perhaps a silly question... does this work if you disable uRPF? Steve _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/