[nsp] ip verify unicast reverse-path confirmation?

Andrew Fort afort at choqolat.org
Fri Dec 5 02:26:19 EST 2003


Jared Mauch wrote:

>Here's the scoop:
>
>	sup1(a), u-rpf handled in software on the MFSC
>	sup2, u-rpf is GLOBAL.  You set strict on one interface,
>it sets strict on all interfaces that u-rpf is configured.  This
>is quite different from all other cisco platforms.  BEWARE.  I've
>seen people innocently break things by setting strict on an
>interface and it changes an unrelated interface from loose
>to strict.  This was a pain to track down since we were
>looking at tacacs logs and couldn't find it.
>
>	I can't remember what the sup3 (720) does off the top of
>my head, I seem to recall asking cisco but not recalling the answer
>I received.  Use caution.
>
>	- Jared
>  
>

It's the same on the Sup720 (mode is global, changing per interface 
changes it for all interfaces), however on Sup720 you can use strict 
URPF mode matching against a definable group of interfaces (as opposed 
to just a single interface).  This allows you to handle multihomers in 
strict mode.  I'm not sure if the Sup2 has that additional flexibility.

-andrew.




More information about the cisco-nsp mailing list