[nsp] RPF on Catalyst 6k
Rubens Kuhl Jr.
rkjnsp at ieg.com.br
Fri Dec 27 01:44:52 EST 2002
| In our case, we filter to prevent packets carrying one of "our" IP
| addresses from entering our local network. We suffer from slight
| fragmentation of our address space, so the appropriate "deny" entries
| would occupy quite a bit of TCAM (in which the inbound ACL facing the
| Internet already occupies a sizable chunk).
Try varying IOS version; newer versions usually compile ACLs better, but
sometimes they do a big mess.. also, try enabling odm algorithm, which seems
to have better corner case handling.
| | I whish we were already approaching the edge in terms of spoof
| protection, but there's still a *very* long way to go. (I'm already
| happy if there's a L3 device at the edge. Typical university network
| problem, I guess.)
Spoof protection belongs to L7-land, is stateful in its nature (even more
than SLB, which can be done in a stateless fashion). But if the stateless
(regarding to individual conections) router can be of any assistance, it is
a good thing.
Rubens Kuhl Jr.
More information about the cisco-nsp
mailing list