[nsp] Any plans for unicast RPF on Catalyst 4000/SupIII?

Thomas Kernen thomas at kernen.net
Fri Nov 14 12:16:12 EST 2003

> > You want to use port-security with IP Source guard and/or Dynamic
> > Arp Inspection. It's the equiv to uRPF but basically with better
> > granularity (IMHO).
>      I'm not familiar with IP Source guard or Dynamic Arp Inspection.
>      What I especially want to do is to be able to inject a /32 route
>      of an infected host to OSPF and from there to the routing tables.
>      With uRPF the packets coming from the infected host would be
>      dropped when they reach the router. Based on the quick glance to
>      the manuals, IP Source guard isn't a right tool for what I'm
>      trying to do.

In that case I would say it doesn't apply. I was viewing uRPF being used
as a source filter to prevent spoofed packets from a customer. That is
what IP Source Guard does and in our case we build a IP/MAC address
combo and only autorise that pair to send packets into the network.
Saves us a lot of security overhead and works really well.


More information about the cisco-nsp mailing list