[c-nsp] ip load-sharing per-packet and RPF

[Marr, Joe]

Hmmmm

Hadn't thought about blocking incoming traffic with a source in my IP
range. 
In this case it makes more sense.

Joe Marr
-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de] 
Sent: Tuesday, October 12, 2004 4:57 PM
To: Marr, Joe
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ip load-sharing per-packet and RPF

hi,

On Tue, Oct 12, 2004 at 10:32:37AM -0400, Marr, Joe wrote:
> Is it possible to run "ip load-sharing per-packet" and "ip verify
> unicast reverse-path" on the same interfaces?

Yes (done that on 128 kbit ISDN lines towards customers - BRIx/y:1 and
BRIx/y:2).

> I have 2 T1s that are load-balanced with my provider using "ip
> load-sharing per-packet". When I set "ip verify unicast reverse-path"
I
> begin to lose every other packet. I had thought Unicast RPF was
> compatible with CEF's per-packet and per-destination load sharing.

I've never done it on links towards "the Internet".  This might cause
problems if both links are not configured fully identically (like
"BGP to two different provider POPs, and non-symmetric routing").

For static routing (two static default routes, nothing else) it *should*
work.

I don't see the major gain here, though.  In that scenario,
anti-spoofing
ACL rules are fairly easy to set up, and with dual T1s, even lower-end
routes can do the ACLing in line speed.

gert


-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de