ip verify unicast reverse-path

Answered Question
Sep 15th, 2008

Some time ago I posted a question here regarding "ip verify unicast reverse-path". I have come to find that this command will not work on gig single mode fiber ports (WS-X6748-SFP).

The command works fine on the 100FX cards (WS-X6324-100FX-MM).

Is there a way to enable reverse path verification on the WS-X6748-SFP line cards?

Edit: Cat 6509 - 12.2(14r)S9

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 8 years 4 months ago

It's not supposed to work on non-routed ports as it is not running Layer3 services.

IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.

As for configuring IP RPF under SVI, Yes - it can be done.

HTH,

__

Edison.

Please rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jason Fraioli Mon, 09/15/2008 - 08:02

CORE-6509(config-if)#ip verify ?

source source address

CORE-6509#sh mls cef ip rpf

RPF global mode: not enabled

I am searching for the configuration guide for a Sup720 for cef rpf. I think that's where my hangup is.

Edison Ortiz Mon, 09/15/2008 - 09:30

Make sure the interface is in routed mode

no switchport

Please post the output from typing

show ver | i IOS

Here is mine and it works:

sh ver | i IOS

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF8, RELEASE SOFTWARE (fc2)

sh mls cef ip rpf

RPF global mode: not enabled

HTH,

__

Edison.

Edison Ortiz Mon, 09/15/2008 - 07:57

I just found a 6509 with 6748

show mod 9

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

9 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD080707HU

rack3-6509(config-if)#int g9/1

rack3-6509(config-if)#ip verify ?

unicast Enable per packet validation for unicast

rack3-6509(config-if)#ip verify un

rack3-6509(config-if)#ip verify unicast ?

reverse-path Reverse path validation of source address (old command format)

source Validation of source address

rack3-6509(config-if)#ip verify unicast re

rack3-6509(config-if)#ip verify unicast reverse-path ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

allow-self-ping Allow router to ping itself (opens vulnerability in

verification)

rack3-6509(config-if)#ip verify unicast reverse-path alo

rack3-6509(config-if)#ip verify unicast reverse-path

Warning: Deprecated Command.

Changed to "ip verify unicast source reachable-via rx allow-default".

rack3-6509(config-if)#do show run int g9/1

Building configuration...

Current configuration : 166 bytes

!

interface GigabitEthernet9/1

ip verify unicast source reachable-via rx allow-default

HTH,

__

Edison.

Please rate helpful posts

Jason Fraioli Mon, 09/15/2008 - 10:05

Well now why will the command work on a non routed port on the 100FX ports, but not on the gig ports?

It is ok to use this command on a vlan interface correct?

Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH2, RELEASE SOFTWARE (fc1)

Correct Answer
Edison Ortiz Mon, 09/15/2008 - 10:31

It's not supposed to work on non-routed ports as it is not running Layer3 services.

IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.

As for configuring IP RPF under SVI, Yes - it can be done.

HTH,

__

Edison.

Please rate helpful posts

Actions

This Discussion