[nsp] RPF on Catalyst 6k
Rubens Kuhl Jr.
rkjnsp at ieg.com.br
Thu Dec 26 21:18:27 EST 2002
| > BTW, is it better to implement anti-spoofing filters using uRPF, or
| > using regular ACLs (which end up in the TCAM for ACLs)? Which one is
| > more robust during DoS attacks with randomly spoofed source addresses?
|
| I guess this question depends a bit on *where* you want to place these
| filters, right?
|
| (Currently, we employ ACL's in both inbound-from-customer and
| inbound-from-Internet -- but are planning to switch to uRPF for the
| inbound-from-customer case.)
(1) Inbound-from-statically-routed-customer, or
(2)
Inbound-from-bgp-routed-customer-which-owns-a-well-known-CIDR-and-doesn't-pr
ovide-transit-for-anyone, or
(3) Inbound-from-bgp-routed-customer-that-provides-transit-for-others ?
(1) e (2) are cases for ACLs; a few TCAM entries seems better that doubling
all the route table (even if you enable rpf on just one interface or logical
circuit).
(3) is very similar to inbound-from-Internet.
Rubens Kuhl Jr.
More information about the cisco-nsp
mailing list