[nsp] ip verify unicast not logging in ACL

Sam Stickland sam_ml at spacething.org
Wed Nov 12 07:32:35 EST 2003


Hi,

I'm configuring some routers to drop packets sourced from IP addresses given
by the bogon servers, using loose uRPF. (Dropping packets with destinations
from the bogon servers is working fine.)

I've tried the following (using a permit initially, just while I'm testing -
I don't want to actually drop the traffic).

access-list 99 permit any log

int vlan x
  ip verify unicast source reachable-via any allow-default 99

If I do 'sh ip int vlan x' I can see

  IP verify source reachable-via ANY, allow default, ACL 99
   0 verification drops
   80948 suppressed verification drops

and the suppressed verification drops is rising pretty rapidly (which is
suprising since this interface carries less than a meg of traffic). But 'sh
access-list 99' only shows this (note the lack of a match counter):

Standard IP access list 99 (Compiled)
    10 permit any log

And there's nothing in the logs either. If I take away the ACL from the
statement, or change it to a deny I still get get no logs, but this time the
BGP session on that interface will drop, which it shouldn't do, so I'm
assuming the uRPF isn't functioning correctly :/

Is there anything wrong with my config? Perhaps I'm hitting a IOS bug? This
on a Cat6500 running IOS 12.2(14)SY1

Sam




More information about the cisco-nsp mailing list