Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
6
Replies

Help with command on PIX and router.

johnleeee
Level 1
Level 1

‎10-20-2004 12:45 AM - edited ‎02-20-2020 11:41 PM

Id like to know what does do command ip verify reverse-path and what is difference when configured on PIX and router.

And where it is good to use this command?

thanks all in advance

rg

jl

0 Helpful
6 Replies 6

sachinraja
Level 9
Level 9

‎10-20-2004 01:42 AM

Hi .. the command refers to the same concept in both PIX and the router. This is basically used to mitigate problems caused by malformed or spoofed Ip source addresses into a network. When applied on a router/PIX, it can discard packets that lack a verifiable source IP..

Only the packets sourced from inside the LAN are allowed back to the inside network.

Its good to use at the edge of a network, which connects to the local LAN. using it at the core will create problems, if unsymmetrical routing happens...

Go through the following URL for details about RPF;

http://www.cisco.com/en/US/tech/tk583/tk385/technologies_white_paper09186a0080174a5b.shtml

0 Helpful

johnleeee
Level 1
Level 1
In response to sachinraja

‎10-20-2004 04:17 AM

So does it mean that whan I have on inside eth. interface and on outside fasteth. interface, for.example on router and I configure on inside int. ip verify unicast reverse-path command I will check trough this command source ip address when communication starts from my LAN and in opposite communication from internet it function like with CBAC access-list.

So result will be that I dont need to use any inside or outside access-list on my inside interface.

rg

jl

0 Helpful

scoclayton
Level 7
Level 7
In response to johnleeee

‎10-20-2004 10:50 AM

All the "ip unicast reverse-path" command (and the corresponding command on the PIX) is doing, is referencing the route table and making sure that source address matches the interface where the route table says the packet should have been coming from. Or, in other words, the command denies packets on the inside interface source from address that belong on the outside interface (and vice-versa).

Does this help at all?

Scott

0 Helpful

johnleeee
Level 1
Level 1
In response to scoclayton

‎10-20-2004 11:05 PM

Scott thanks for advice,

I have only one question about ip unicast reverse-path command on PIX. I read that this command must be used with cef command. What about PIX?

rg

jl

0 Helpful

scoclayton
Level 7
Level 7
In response to johnleeee

‎10-21-2004 04:48 AM

CEF switching is only a requirement for IOS. There is no concept of CEF switching in the PIX. On the PIX, all you need to do is enable the command and you should be good to go.

Hope this helps.

Scott

0 Helpful

johnleeee
Level 1
Level 1
In response to scoclayton

‎10-22-2004 12:09 AM

Ok guy, thats enough.

jl

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card