[nsp] ip verify unicast not logging in ACL

Kinczli Zoltán Zoltan.Kinczli at Synergon.hu
Wed Nov 12 08:13:27 EST 2003


hello,

  drop: as its name suggests, packet was dropped

  suppressed drop: the FIB check would drop, but the ACL (not available on asic based platforms)
	supressed the drop, so the packet was passed finally

rgds
 z.

-----Original Message-----
From: Sam Stickland [mailto:sam_ml at spacething.org]
Sent: Wednesday, November 12, 2003 1:58 PM
To: Cisco Nsp
Subject: Re: [nsp] ip verify unicast not logging in ACL


Oh forgot to ask, what's the difference between a drop and suppressed drop?
I can make a couple of educated guesses, but it's not actually mentioned in
the documentation.

Sam

> Hi,
>
> I'm configuring some routers to drop packets sourced from IP addresses
given
> by the bogon servers, using loose uRPF. (Dropping packets with
destinations
> from the bogon servers is working fine.)
>
> I've tried the following (using a permit initially, just while I'm
testing -
> I don't want to actually drop the traffic).
>
> access-list 99 permit any log
>
> int vlan x
>   ip verify unicast source reachable-via any allow-default 99
>
> If I do 'sh ip int vlan x' I can see
>
>   IP verify source reachable-via ANY, allow default, ACL 99
>    0 verification drops
>    80948 suppressed verification drops
>
> and the suppressed verification drops is rising pretty rapidly (which is
> suprising since this interface carries less than a meg of traffic). But
'sh
> access-list 99' only shows this (note the lack of a match counter):
>
> Standard IP access list 99 (Compiled)
>     10 permit any log
>
> And there's nothing in the logs either. If I take away the ACL from the
> statement, or change it to a deny I still get get no logs, but this time
the
> BGP session on that interface will drop, which it shouldn't do, so I'm
> assuming the uRPF isn't functioning correctly :/
>
> Is there anything wrong with my config? Perhaps I'm hitting a IOS bug?
This
> on a Cat6500 running IOS 12.2(14)SY1
>
> Sam
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list