cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
537
Views
0
Helpful
1
Replies
dh1
Beginner
Beginner

ACL Logging with IP Verify Unicast Reverse Path Forwarding

So I ran into a weird issue this week. I am running a Cisco ASR 1002 and I am trying to set up BGP blackholing by using uRPF. I set it up and it worked great in my test environment, but for some reason, it is not logging or showing acl hits on the acl associated with the ip verify statement. Anyone have any ideas?

 

Here is the interface config -

interface gi x/x/x

ip access-group internet-rtr-new in
ip access-group internet-out out
no ip unreachables
ip verify unicast reverse-path 100
ip flow ingress
load-interval 30
no negotiation auto
end

 

ip access-list extended 100

deny ip any any log

 

1 REPLY 1
paul driver
VIP Mentor

Hello
You seem to be using the old format of URPF.

ip verify unicast reverse-path <--old format
ip verify unicast source reachable-via XX < new format

Now to allow packets to be forwarded only if the local router has a valid source address of the incoming packet in its route table you can permit this two ways.

1) ip verify unicast source reachable-via any

2) access-list 1 permit any
    ip verify unicast source reachable-via rx 1



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future