Specifications

ManualsBrandsCisco ManualsComputer equipmentVIP-4R/4T

101

102

103

104

105

106

107

108

109

110

IP Switching Commands

ip verify unicast source reachable-via

ISW-71

Cisco IOS IP Switching Command Reference

May 2008

allow-self-ping phys-if <

ACL-number

l2-src phys-if <

ACL-number

allow-default allow-self-ping l2-src phys-if

allow-default allow-self-ping l2-src <

ACL-number

allow-default allow-self-ping phys-if <

ACL-number

allow-default l2-src phys-if <

ACL-number

allow-self-ping l2-src phys-if <

ACL-number

allow-default allow-self-ping l2-src phys-if <

ACL-number

Examples Single-homed ISP Connection with Unicast RPF

The following example uses a very simple single-homed ISP connection to demonstrate the concept of

Unicast RPF. In this example, an ISP peering router is connected via a single serial interface to one

upstream ISP. Hence, traffic flows into and out of the ISP will be symmetric. Because traffic flows will

be symmetric, a Unicast RPF strict-mode deployment can be configured.

ip cef

! or “ip cef distributed” for Route Switch Processor+Versatile Interface Processor-

(RSP+VIP-) based routers.

interface Serial5/0/0

description - link to upstream ISP (single-homed)

ip address 192.168.200.225 255.255.255.252

no ip redirects

no ip directed-broadcasts

no ip proxy-arp

ip verify unicast source reachable-via

ACLs and Logging with Unicast RPF

The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example,

extended ACL 197 provides entries that deny or permit network traffic for specific address ranges.

Unicast RPF is configured on interface Ethernet 0 to check packets arriving at that interface.

For example, packets with a source address of 192.168.201.10 arriving at interface Ethernet 0 are

dropped because of the deny statement in ACL 197. In this case, the ACL information is logged (the

logging option is turned on for the ACL entry) and dropped packets are counted per-interface and

globally. Packets with a source address of 192.168.201.100 arriving at interface Ethernet 0 are forwarded

because of the permit statement in ACL 197. ACL information about dropped or suppressed packets is

logged (the logging option is turned on for the ACL entry) to the log server.

ip cef distributed

int eth0/1/1

ip address 192.168.200.1 255.255.255.0

ip verify unicast source reachable-via rx 197

int eth0/1/2

ip address 192.168.201.1 255.255.255.0

access-list 197 deny ip 192.168.201.0 0.0.0.63 any log-input

access-list 197 permit ip 192.168.201.64 0.0.0.63 any log-input

access-list 197 deny ip 192.168.201.128 0.0.0.63 any log-input

access-list 197 permit ip 192.168.201.192 0.0.0.63 any log-input

access-list 197 deny ip host 0.0.0.0 any log-input

access-list 197 deny ip 172.16.0.0 0.255.255.255 any log-input

access-list 197 deny ip 10.0.0.0 0.255.255.255 any log-input

access-list 197 deny ip 172.16.0.0 0.15.255.255 any log-input

access-list 197 deny ip 192.168.0.0 0.0.255.255 any log-input