Hi, If it fails the RPF check, it then checks the ACL to see if theres anything in that ACL that it should take into account. if you have a permit in that ACL, even though it failed the initial check, it will get allowed and hence forwarded.
Kim On Thu, Jul 14, 2011 at 2:45 PM, Daniel Gheorghe <[email protected]> wrote: > Hey guys, > > Regarding the ACL attached to the "ip verify unicast reverse-path" list > command: the logical thing in my opinion is that the traffic allowed in the > ACL will be inspected by the RPF, and the denied trafiic will not be > inspected. > > But the documentation states the permited traffic is directly forwarded to > the destination, even if the packets are spoofed... so bypassing the RPF > check completely: > > *Use the list option to identify an access list. If the access list denies > network access, spoofed packets are dropped at the interface. If the access > list permits network access, spoofed packets are forwarded to the > destination address.* > * > * > This does not make any sense. It is like applying a simple ACL to the > interface. > > > Let me know what you think. > > Thanks, > Daniel > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > -- // Freedom Matters // CCIE #29189 // www.packet-forwarding.net _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
