% ip verify unicast reverse-path
%
% and according to Paul Ferguson (co-author of RFC 2267) it's in use by
% many ISPs. Apparently this is very-low overhead. Paul has also indicated
% the use of extended access lists on Cisco routers is very low overhead,
% especially on routers using distributed express forwarding.
while i hate to question mr. ferguson, it's my understanding
that many isps have found this feature to be unusable due to
network design.
You can't use this in the core, but you can use it on cpe facing
interfaces.
eg: the interface that faces your dial lan, or colocate lan,
etc.. and on single ckt connections.
You get into some cases where you have a customer that is doing
more complicated things than just pointing default at you...
(ie: they're multihomed, or have various netblocks, and
do not announce them all to you or do policy routing inside their network).
What problems are you seeing, as I've not had problems with
this deployed in my network. I know that there have been ECM bugs
in the past (equal cost multipath), and it not doing the rpf check
correctly, but those problems should not affect most of the customers
in the world.
- jared
I just took out a 7206 by applying ip verify unicast reverse-path to a T3
link on a PA2T3 and attempting to spoof packets from the POP on the other
end of that T3.
The 7206 is running c7200-inu-mz.111-25.CC. Fortunately, it rebooted
after it crashed.
System restarted by bus error at PC 0x605F88CC, address 0x10024 at
20:29:49 UTC Wed Jul 28 1999
This router had been up over 8 weeks without a crash (ever since Cisco
replaced the previous 7206 in this POP that was either posessed or a
lemon). The memory is Cisco memory. All the parts came directly from
Cisco.
Is this known to be unstable in 111-25.CC? Is it known to be stable in
some other release that supports the PAT3, PA2T3, and PA-MCT3?
----don't waste your cpu, crack rc5...www.distributed.net team enzo---
Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or
System Administrator | nestea'd...whatever it takes
Atlantic Net | to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________
jlewis@lewis.org wrote:
>
> % ip verify unicast reverse-path
> %
> % and according to Paul Ferguson (co-author of RFC 2267) it's in use by
> % many ISPs. Apparently this is very-low overhead. Paul has also indicated
> % the use of extended access lists on Cisco routers is very low overhead,
> % especially on routers using distributed express forwarding.
>
> while i hate to question mr. ferguson, it's my understanding
> that many isps have found this feature to be unusable due to
> network design.I just took out a 7206 by applying ip verify unicast reverse-path to a T3
link on a PA2T3 and attempting to spoof packets from the POP on the other
end of that T3.The 7206 is running c7200-inu-mz.111-25.CC. Fortunately, it rebooted
after it crashed.System restarted by bus error at PC 0x605F88CC, address 0x10024 at
20:29:49 UTC Wed Jul 28 1999This router had been up over 8 weeks without a crash (ever since Cisco
replaced the previous 7206 in this POP that was either posessed or a
lemon). The memory is Cisco memory. All the parts came directly from
Cisco.Is this known to be unstable in 111-25.CC? Is it known to be stable in
some other release that supports the PAT3, PA2T3, and PA-MCT3?
In a note off-list, Jack Crowder said:
"Actually there was a bug in 11.1.26CC. Supposedly, 11.1.27CC has the
fix
incorporated."
I suspect the version of IOS (.25) you're trying to use has whatever bug
is referenced as being in .26.
I guess it's time to upgrade again then.
----don't waste your cpu, crack rc5...www.distributed.net team enzo---
Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or
System Administrator | nestea'd...whatever it takes
Atlantic Net | to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________
See:
CSCdm34439 - "configuring ip verify unicast return-path causes crash."
Found in 11.1(25)CC, fixed in 11.1(26.1)CC.
Release-note is
Actually, Cisco's Bug By ID search shows that CSCdm34439 is fixed in
11.1(27)CC 11.1(27)CT. When I go to download software, the latest I can
find is c7200-inu-mz.111-26.CC1.bin.
I just ran into what appears to be another bug in 111-25.CC, which seems
to have caused the 7206 to start dropping most UDP traffic (i.e. all
radius packets crossing through it)...so I'd like to upgrade asap.
----don't waste your cpu, crack rc5...www.distributed.net team enzo---
Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or
System Administrator | nestea'd...whatever it takes
Atlantic Net | to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________