[nsp] cat 4500/Sup IV - no uRPF?
Michael Sinatra
michael at rancid.berkeley.edu
Fri Dec 5 03:24:15 EST 2003
Thomas Kernen wrote:
> Hi Michael,
>
> I answered this one a few weeks ago on the list, but things are still
> the same. I'm running a few Cat 4K's and I can confirm that uRPF doesn't
> exist. What you want to look into is the IP Source Guard and Dynamic ARP
> inspection features. More in depth and granularity that uRPF IMHO.
Okay, I get the dumbass of the week award for not looking back at my
mail spool and finding your earlier message. And like the other person
who asked about uRPF, we use it to enforce dynamic host blocking by
injecting /32s into the routing tables from a central location. Unlike
the other person, we use iBGP instead of OSPF. That way we can specify
an next-hop that gets recursively "bound" to the null0 interface of each
router.
For that reason, the cat 4xxx is not a viable layer-3 device in our shop
until/unless uRPF is available.
Source guard and dynamic ARP inspection (and DHCP snooping, etc.) are
all cool features for a layer-2 device (although it would be nice if
cisco made some effort to unify the features sets of its catalyst
product lines!!), but for a layer-3 box, uRPF is a must-have for us.
thanks,
michael
More information about the cisco-nsp
mailing list