[nsp] Any plans for unicast RPF on Catalyst 4000/SupIII?
Thomas Kernen
thomas at kernen.net
Fri Nov 14 12:16:12 EST 2003
>
> > You want to use port-security with IP Source guard and/or Dynamic
> > Arp Inspection. It's the equiv to uRPF but basically with better
> > granularity (IMHO).
>
> I'm not familiar with IP Source guard or Dynamic Arp Inspection.
>
> What I especially want to do is to be able to inject a /32 route
> of an infected host to OSPF and from there to the routing tables.
> With uRPF the packets coming from the infected host would be
> dropped when they reach the router. Based on the quick glance to
> the manuals, IP Source guard isn't a right tool for what I'm
> trying to do.
In that case I would say it doesn't apply. I was viewing uRPF being used
as a source filter to prevent spoofed packets from a customer. That is
what IP Source Guard does and in our case we build a IP/MAC address
combo and only autorise that pair to send packets into the network.
Saves us a lot of security overhead and works really well.
Thomas
More information about the cisco-nsp
mailing list