Hi Ben, Weird... I did it again on Protorlab's equipments and it doesn't work... But I tried it on GNS and it works... I don't have the log you mention though... I just have the classical ACL "denied or permitted by ACL x".
Regards, Christophe On 02 Feb 2012, at 22:59, Ben Hughes wrote: > > Hi Christophe, > > Yes, I had logging on and have an entry in the log for the "failed uRPF but > permitted by ACL" traffic. My config on R2 was: > > access-list 7 permit 200.0.0.1 log > int f0/0 > ip verify uni source reach via rx 7 > > cheers, > Ben. > > > > From: Christophe Lemaire > <[email protected]<mailto:[email protected]>> > Date: Thu, 2 Feb 2012 17:39:13 +0100 > To: Ben Hughes <[email protected]<mailto:[email protected]>> > Cc: "<[email protected]<mailto:[email protected]>>" > <[email protected]<mailto:[email protected]>> > Subject: Re: [OSL | CCIE_RS] ip verify unicast source reachable-via > > Hi Ben, > > Did you turn on logging on your ACL? It seems to be working without log but I > was trying to log the uRPF failed packets. > > Regards, > Christophe > > On 02 Feb 2012, at 11:43, Ben Hughes wrote: > > Hi Christophe, > I just lab'd this up and it worked fine. When I applied the ACL my pings > that were previously dropped were allowed through. I didn't get a response > as the response was being sent through to R1 but if you turn on debug ip icmp > on R2 you should see if working. > cheers, > Ben. > From: Christophe Lemaire > <[email protected]<mailto:[email protected]><mailto:[email protected]>> > Date: Thu, 2 Feb 2012 11:28:41 +0100 > To: > "<[email protected]<mailto:[email protected]><mailto:[email protected]>>" > > <[email protected]<mailto:[email protected]><mailto:[email protected]>> > Subject: [OSL | CCIE_RS] ip verify unicast source reachable-via > Hi, > I have some trouble with "ip verify unicast source reachable-via " command. > I've well understood the difference between "ip verify unicast source > reachable-via rx" and "ip verify unicast source reachable-via any". The first > one is a strict mode and check the source is well reachable via the receiving > interface while the second just check the source has a route in the FIB. > But where I'm a bit lost is when you add an ACL after the command. The > documentation says the ACL is checked if the uRPF fails, if the source IP > matches a deny statement the packet is dropped, if it matches a permit > statement it is forwarded even though it failed the uRPF. I think I've > understood that part but I seem unable to make it work on real gear… > Here is what I did: > R1---(f0/1) R2 (f0/0)---R3 > R1 and R3 have a loopback 200.0.0.1/32 > R1 advertise it to R2, > R2 advertise it to R3, > R3 do not advertise it to anyone. > If I ping R2's loopback (200.0.0.2) from R3 with 200.0.0.1 as source, I see > that packet arriving on int f0/0 and response are going out to f0/1. (Normal) > If I configure "ip verify unicast source reachable-via rx" on R2's f0/0 > interface, the packet are simply dropped. > Now If I configure "ip verify unicast source reachable-via rx 1" and > "access-list 1 permit any log", I would expect the packet to not be dropped > but only logged and the response to be sent out interface f0/1 as without > uRPF at all. However R2 still drop the packets and do not log anything… > But if I do the same without logging on the ACL it works as expected (i.e. > forward)… > From DocCD : > "If no ACL is specified in the ip verify unicast source reachable-via > command, the router drops the forged or malformed packet immediately, and no > ACL logging occurs. The router and interface Unicast RPF counters are updated. > Unicast RPF events can be logged by specifying the logging option for the ACL > entries that are used by the ip verify unicast source reachable-via command. > Log information can be used to gather information about the attack, such as > source address, time, and so on." > Did I miss something? > Best regards, > Christophe > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > http://onlinestudylist.com/mailman/listinfo/ccie_rs > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
