[nsp] Workaround for loose uRPF dropping legitimate traffic

Sam Stickland sam_ml at spacething.org
Wed Nov 12 13:15:35 EST 2003


Yup,

It would appear that configuring uRPF without an access-list causes all
traffic on that interface to drop (sloppy checking of me earlier evidently).
(It's still not logging the traffic, but I'm not overly bothered about
that).

The access doesn't even have to exist, but I'm using a standard ACL with
just a 'deny any' clause, because I figure that ought to use the least CPU
time.

Sam

----- Original Message -----
From: "Sam Stickland" <sam_ml at spacething.org>
To: "Kinczli Zoltán" <Zoltan.Kinczli at Synergon.hu>; "Cisco Nsp"
<cisco-nsp at puck.nether.net>
Sent: Wednesday, November 12, 2003 4:39 PM
Subject: Re: [nsp] ip verify unicast not logging in ACL


> Hi all,
>
> I found a workaround to my problem of the BGP sessions drops. In fact it's
> likely if I tested a bit more carefully all traffic was probably being
> dropped - I'll test that later.
>
> But it would appear (regardless of the ACLs never showing any matches),
that
> the following statement:
>
> int vlan x
>   ip verify unicast source reachable-via any allow-default 199
> !
> access-list 199 deny ip any any
>
> Works as expected.
>
> And:
>
> int vlan x
>   ip verify unicast source reachable-via any allow-default
>
> is at the very least dropping BGP packets (I'll do some further testing).
>
> IOS Bug?
>
> Sam
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list