nanog mailing list archives
CEF RPF check w/ACLs (was: Re: netscan.org update)
From: Tony Tauber <ttauber () genuity net>
Date: Mon, 25 Sep 2000 15:30:54 -0400 (EDT)
On Mon, 25 Sep 2000, Roland Dobbins wrote:
Bradley Dunn wrote:On Mon, Sep 25, 2000 at 03:31:53AM -0400, John Fraizer wrote:In a BB situation and in some simple multihomed situations, it is possible for someone to have a route into your network via an interface that for administrative/technical reasons, you're not accepting routes to them via. In such instances, CEF will break an otherwise valid, though be it asymetric stream.You are confusing CEF, a switching path, with 'ip verify unicast reverse-path', an interface configuration command which requires CEF. In any case, recent flavours of IOS support using an ACL to specify exceptions to the reverse-path check. BradleyNow =this= I'm familiar with. ip verify unicast reverse-path causes massive problems when you're multihomed. By 'recent', I assume you mean 12.x?
It came later. It's in 12.0(9.3)S for sure. I was the one who asked for something like it and a friendly developer coded it up nice and quickly. One simple way to use it: If a customer is multiply homed, make up an access-list including their prefixes as source addresses and use it as ip verify unicast reverse-path <acl> so that you can permit packets with those sources even though they might fail the generic RPF check. You already know your customers' prefixes because you're either statically routing them or filtering the prefixes they can announce to you dynamically (right?) One could note that a regular packet-filtering ACL inbound on the customer's port could achieve a congruent functionality. That's probably true. In this case, I had a different idea in mind when I asked for the feature but this is what came out. FWIW. Tony
Current thread:
- Re: netscan.org update, (continued)
- Re: netscan.org update Leo Bicknell (Sep 24)
- Re: netscan.org update Michael Shields (Sep 25)
- Re: netscan.org update Bennett Todd (Sep 24)
- Re: netscan.org update Greg A. Woods (Sep 25)
- Re: netscan.org update Leo Bicknell (Sep 24)
- Re: netscan.org update John Fraizer (Sep 25)
- RE: netscan.org update rdobbins (Sep 25)
- RE: netscan.org update John Fraizer (Sep 25)
- Re: netscan.org update Bradley Dunn (Sep 25)
- Re: netscan.org update Charles Sprickman (Sep 25)
- Re: netscan.org update Roland Dobbins (Sep 25)
- CEF RPF check w/ACLs (was: Re: netscan.org update) Tony Tauber (Sep 25)
- Re: CEF RPF check w/ACLs (was: Re: netscan.org update) James A. T. Rice (Sep 28)
- Message not available
- Re: CEF RPF check w/ACLs (was: Re: netscan.org update) Patrick W. Gilmore (Sep 28)
- Re: CEF RPF check w/ACLs (was: Re: netscan.org update) James A. T. Rice (Sep 28)
- RE: netscan.org update John Fraizer (Sep 25)
- Re: netscan.org update Roland Dobbins (Sep 25)
- RE: netscan.org update John Fraizer (Sep 26)
- Re: netscan.org update Troy Davis (Sep 26)