Building Network Automation Solutions
6 week online course starting in September 2017

uRPF violation logging not working on 12.4T

One of the scenarios I’m discussing in the DMVPN: Advanced and Crazy Scenarios (register here) is redundant DMVPN network with two ISPs. It’s not a particularly complex setup ... unless the ISPs decide to deploy anti-spoofing filters (more precisely: unicast RPF checks) in which case it becomes crucially important which outbound interface you use for your DMVPN tunnel.

Anyhow, I was trying to make the whole thing work in a lab and it was repeatedly failing, so I decided to log uRPF violations. According to the documentation, it’s a piece of cake:

  • Define an ACL that denies and logs packets
  • Use the ACL in ip verify unicast source interface configuration command.

Sounds simple. I’ve used these configuration commands ...

interface Serial2/3
 description Link to R2
 ip address 10.0.8.13 255.255.255.252
 ip verify unicast source reachable-via rx 199
 encapsulation ppp
 no peer neighbor-route
!
access-list 199 deny   ip any any log

... and it worked like a charm in 15.0(1)M, my Internet router generated lots of syslog messages similar to these:

%SEC-6-IPACCESSLOGP: list 199 denied udp 10.0.8.10(0) -> 10.0.8.2(0)
%SEC-6-IPACCESSLOGP: list 199 denied udp 10.0.8.10(0) -> 10.0.7.17(0)

12.4T? Accepts the ACL parameter and remains mum. Great inter-release consistency ;)

0 comments:

Post a Comment

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.