[nsp] ip verify unicast reverse-path confirmation?
Andrew Fort
afort at choqolat.org
Fri Dec 5 02:26:19 EST 2003
Jared Mauch wrote:
>Here's the scoop:
>
> sup1(a), u-rpf handled in software on the MFSC
> sup2, u-rpf is GLOBAL. You set strict on one interface,
>it sets strict on all interfaces that u-rpf is configured. This
>is quite different from all other cisco platforms. BEWARE. I've
>seen people innocently break things by setting strict on an
>interface and it changes an unrelated interface from loose
>to strict. This was a pain to track down since we were
>looking at tacacs logs and couldn't find it.
>
> I can't remember what the sup3 (720) does off the top of
>my head, I seem to recall asking cisco but not recalling the answer
>I received. Use caution.
>
> - Jared
>
>
It's the same on the Sup720 (mode is global, changing per interface
changes it for all interfaces), however on Sup720 you can use strict
URPF mode matching against a definable group of interfaces (as opposed
to just a single interface). This allows you to handle multihomers in
strict mode. I'm not sure if the Sup2 has that additional flexibility.
-andrew.
More information about the cisco-nsp
mailing list