Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
1
Replies

ACL Logging with IP Verify Unicast Reverse Path Forwarding

dh1
Level 1
Level 1

‎04-16-2019 12:28 AM

So I ran into a weird issue this week. I am running a Cisco ASR 1002 and I am trying to set up BGP blackholing by using uRPF. I set it up and it worked great in my test environment, but for some reason, it is not logging or showing acl hits on the acl associated with the ip verify statement. Anyone have any ideas?

 

Here is the interface config -

interface gi x/x/x

ip access-group internet-rtr-new in
ip access-group internet-out out
no ip unreachables
ip verify unicast reverse-path 100
ip flow ingress
load-interval 30
no negotiation auto
end

 

ip access-list extended 100

deny ip any any log

 

Labels:
0 Helpful
1 Reply 1

paul driver
VIP
VIP

‎04-16-2019 02:49 AM - edited ‎04-16-2019 02:55 AM

Hello
You seem to be using the old format of URPF.

ip verify unicast reverse-path <--old format
ip verify unicast source reachable-via XX < new format

Now to allow packets to be forwarded only if the local router has a valid source address of the incoming packet in its route table you can permit this two ways.

1) ip verify unicast source reachable-via any

2) access-list 1 permit any
    ip verify unicast source reachable-via rx 1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card