[c-nsp] IOS-XE: Applying or removing uRPF on a virtual-access interface using RADIUS av-pairs.
Stephen Fulton
sf at lists.esoteric.ca
Thu Nov 6 14:03:21 EST 2014
Hi Lukas,
That was a typo on my part, and unfortunately "lcp:interface-config=no
verify unicast" does not seem to work.
lns02.eg.tor1#sh ip int vi3.49
Virtual-Access3.49 is up, line protocol is up
Interface is unnumbered. Using address of Loopback3230 (10.20.31.16)
Broadcast address is 255.255.255.255
[.. snip ..]
VPN Routing/Forwarding "VRF-XYZ"
[.. snip ..]
IP verify source reachable-via RX, allow default, allow self-ping <<<<
0 verification drops
0 suppressed verification drops
0 verification drop-rate
I'm wondering if the virtual-template takes precedence rather than a
custom AV-Pair.
-- Stephen
On 2014-11-06 1:34 PM, Lukas Tribus wrote:
>> Hi all,
>>
>> We use uRPF on our LNS'es as part of implementing BCP38 in our network
>> and it is enabled by default on PPP/PPPoE virtual-templates. We've
>> found a situation where uRFP is causing a very specific corner case
>> problem and I want to remove it, but I don't want to remove it globally.
>> Removing it via a RADIUS av-pair seems the best solution there.
>> However I'm not seeing the intended result when I use the following av-pair:
>>
>> lcp:interface-config=no ip verify unicast reverse-path self-ping
>
> "self-ping" or "allow-self-ping"? Anyway, you probably just can use:
> lcp:interface-config=no ip verify unicast
>
> as IOS-XE doesn't support anything else:
> ASR1k-BNG-1(config-if)#no ip verify unicast ?
> <cr>
>
>
>
> Let me know if that works, I probably need the same here.
>
>
>
> Regards,
>
> Lukas
>
>
>
>
>
More information about the cisco-nsp
mailing list