[c-nsp] reverse path filtering doesn't seem to work
Mike
mike-cisconsplist at tiedyenetworks.com
Fri Nov 20 09:12:37 EST 2009
Gang,
I have a 3725 with some t1 interfaces. I want to be a good netizen and
establish urpf on my customer facing interfaces to ensure they can't
send me spoofed traffic. When I enable 'ip verify unicast source
reachable-via rx' however, suddenly I can't ping the router on the other
side. Here's the relevant configs:
interface Serial0/0
ip unnumbered Loopback0
ip access-group egress-antispoof out
service-module t1 clock source internal
service-module t1 remote-alarm-enable
service-module t1 fdl both
end
ip route x.x.74.0 255.255.255.248 Serial0/0
ip access-list extended egress-antispoof
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
permit ip any any
Yes in my route table I have a directly connected route as per above:
Known via "static", distance 1, metric 0 (connected)
Redistributing via ospf 1
Advertised by ospf 1 subnets
Routing Descriptor Blocks:
* directly connected, via Serial0/0
Route metric is 0, traffic share count is 1
I am pinging from the router cli to x.x.74.1 and with the 'ip verify
unicast' enabled, packets seem to be dropped. My expectation is simply
that the above static route should be enough to tell 'ip verify' to
allow x.x.74.0/29 as a source on this interface. Does anyone know what
the deal might be?
Mike-
More information about the cisco-nsp
mailing list