[nsp] ip verify unicast not logging in ACL

Sam Stickland sam_ml at spacething.org
Wed Nov 12 07:58:27 EST 2003

Oh forgot to ask, what's the difference between a drop and suppressed drop?
I can make a couple of educated guesses, but it's not actually mentioned in
the documentation.


> Hi,
> I'm configuring some routers to drop packets sourced from IP addresses
> by the bogon servers, using loose uRPF. (Dropping packets with
> from the bogon servers is working fine.)
> I've tried the following (using a permit initially, just while I'm
testing -
> I don't want to actually drop the traffic).
> access-list 99 permit any log
> int vlan x
>   ip verify unicast source reachable-via any allow-default 99
> If I do 'sh ip int vlan x' I can see
>   IP verify source reachable-via ANY, allow default, ACL 99
>    0 verification drops
>    80948 suppressed verification drops
> and the suppressed verification drops is rising pretty rapidly (which is
> suprising since this interface carries less than a meg of traffic). But
> access-list 99' only shows this (note the lack of a match counter):
> Standard IP access list 99 (Compiled)
>     10 permit any log
> And there's nothing in the logs either. If I take away the ACL from the
> statement, or change it to a deny I still get get no logs, but this time
> BGP session on that interface will drop, which it shouldn't do, so I'm
> assuming the uRPF isn't functioning correctly :/
> Is there anything wrong with my config? Perhaps I'm hitting a IOS bug?
> on a Cat6500 running IOS 12.2(14)SY1
> Sam
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list