[nsp] RPF on Catalyst 6k
Rubens Kuhl Jr.
rkjnsp at ieg.com.br
Thu Dec 26 20:35:15 EST 2002
----- Original Message -----
| > Because of performance on a wire-speed device, all checkings must be
done in
| > parallel. If the CEF table were stored at only one place, it would
require 2
| > lookups to fetch the destination and verify RPF. As far as I know, it's
an
| > identical copy.
|
| BTW, is it better to implement anti-spoofing filters using uRPF, or
| using regular ACLs (which end up in the TCAM for ACLs)? Which one is
| more robust during DoS attacks with randomly spoofed source addresses?
On 6k/7600, most of the scenarios will favor using ACLs; if you have
full-routing, your routing table won't probably have 244k active routes. If
you don't have full-routing, you will not be able to use the uRPF to drop
packets from unused blocks.
If you can filter your BGP import to the CEF table so you there is little
possibility of total routes reaching 122k routes, but you still see every
announced IP in the world on the routing table, then uRPF would be a good
thing.
Rubens Kuhl Jr.
More information about the cisco-nsp
mailing list