[c-nsp] reverse path filtering doesn't seem to work

Fri Nov 20 09:35:04 EST 2009

Mike wrote:
> Gang,
> 
> I have a 3725 with some t1 interfaces. I want to be a good netizen and
> establish urpf on my customer facing interfaces to ensure they can't
> send me spoofed traffic. When I enable 'ip verify unicast source
> reachable-via rx' however, suddenly I can't ping the router on the other
> side.  Here's the relevant configs:
> 
> 
> interface Serial0/0
> ip unnumbered Loopback0
> ip access-group egress-antispoof out
> service-module t1 clock source internal
> service-module t1 remote-alarm-enable
> service-module t1 fdl both
> end
> 
> ip route x.x.74.0 255.255.255.248 Serial0/0
> 
> ip access-list extended egress-antispoof
> deny   ip 10.0.0.0 0.255.255.255 any
> deny   ip 172.16.0.0 0.15.255.255 any
> deny   ip 192.168.0.0 0.0.255.255 any
> deny   ip 127.0.0.0 0.255.255.255 any
> deny   ip 224.0.0.0 31.255.255.255 any
> deny   ip 169.254.0.0 0.0.255.255 any
> deny   ip 240.0.0.0 15.255.255.255 any
> permit ip any any
> 
> 
> 
> 
> Yes in my route table I have a directly connected route as per above:
> 
> Known via "static", distance 1, metric 0 (connected)
>  Redistributing via ospf 1
>  Advertised by ospf 1 subnets
>  Routing Descriptor Blocks:
>  * directly connected, via Serial0/0
>      Route metric is 0, traffic share count is 1
> 
> I am pinging from the router cli to x.x.74.1 and with the 'ip verify
> unicast' enabled, packets seem to be dropped. My expectation is simply
> that the above static route should be enough to tell 'ip verify' to
> allow x.x.74.0/29 as a source on this interface. Does anyone know what
> the deal might be?

Hi Mike,

It's not clear to me whether you are pinging from CPE->you or you->CPE.

Is this serial link the only connection that the CPE has? Do you have
uRPF enabled on your side, as well as the CPE?

...and perhaps a silly question... does this work if you disable uRPF?

Steve