ip verify unicast reverse-path

Answered Question
Sep 15th, 2008
User Badges:

Some time ago I posted a question here regarding "ip verify unicast reverse-path". I have come to find that this command will not work on gig single mode fiber ports (WS-X6748-SFP).


The command works fine on the 100FX cards (WS-X6324-100FX-MM).


Is there a way to enable reverse path verification on the WS-X6748-SFP line cards?


Edit: Cat 6509 - 12.2(14r)S9

Correct Answer by Edison Ortiz about 8 years 8 months ago

It's not supposed to work on non-routed ports as it is not running Layer3 services.


IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.


As for configuring IP RPF under SVI, Yes - it can be done.


HTH,


__


Edison.


Please rate helpful posts


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jason Fraioli Mon, 09/15/2008 - 08:02
User Badges:

CORE-6509(config-if)#ip verify ?

source source address


CORE-6509#sh mls cef ip rpf

RPF global mode: not enabled


I am searching for the configuration guide for a Sup720 for cef rpf. I think that's where my hangup is.

Edison Ortiz Mon, 09/15/2008 - 09:30
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Make sure the interface is in routed mode


no switchport


Please post the output from typing


show ver | i IOS


Here is mine and it works:

sh ver | i IOS

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF8, RELEASE SOFTWARE (fc2)


sh mls cef ip rpf


RPF global mode: not enabled



HTH,


__


Edison.

Edison Ortiz Mon, 09/15/2008 - 07:57
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I just found a 6509 with 6748




show mod 9

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

9 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAD080707HU


rack3-6509(config-if)#int g9/1

rack3-6509(config-if)#ip verify ?

unicast Enable per packet validation for unicast


rack3-6509(config-if)#ip verify un

rack3-6509(config-if)#ip verify unicast ?

reverse-path Reverse path validation of source address (old command format)

source Validation of source address


rack3-6509(config-if)#ip verify unicast re

rack3-6509(config-if)#ip verify unicast reverse-path ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

allow-self-ping Allow router to ping itself (opens vulnerability in

verification)


rack3-6509(config-if)#ip verify unicast reverse-path alo

rack3-6509(config-if)#ip verify unicast reverse-path

Warning: Deprecated Command.

Changed to "ip verify unicast source reachable-via rx allow-default".

rack3-6509(config-if)#do show run int g9/1

Building configuration...


Current configuration : 166 bytes

!

interface GigabitEthernet9/1

ip verify unicast source reachable-via rx allow-default



HTH,


__


Edison.


Please rate helpful posts


Jason Fraioli Mon, 09/15/2008 - 10:05
User Badges:

Well now why will the command work on a non routed port on the 100FX ports, but not on the gig ports?


It is ok to use this command on a vlan interface correct?


Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH2, RELEASE SOFTWARE (fc1)

Correct Answer
Edison Ortiz Mon, 09/15/2008 - 10:31
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

It's not supposed to work on non-routed ports as it is not running Layer3 services.


IP RPF relies on Layer3 so the behavior exhibited in the 6748 is the correct one.


As for configuring IP RPF under SVI, Yes - it can be done.


HTH,


__


Edison.


Please rate helpful posts


Actions

This Discussion