[c-nsp] benefit of uRFP with ACL over ACL on interface

Florian Weimer fw at deneb.enyo.de
Wed Sep 8 09:19:35 EDT 2004


* LIM Fung:

> It all depends on what you want to achieve. uRPF when used in loose mode 
> allows for remotely triggered drops/filters in a short timeframe, which 
> is difficult to achieve with ACL.
>
> However, uRPF doesn't allow for filtering granularity (matching 
> protocol/ports) like what xACL allows.

In addition, certain common ACL entries (such as anti-spoofing
filters) don't fit very well into the general ACL structure and thus
require quite a bit of TCAM space.  Using uRPF might reduce TCAM usage
in such a case.  Of course, this is only relevant on very few
platforms.  You often can't use uRPF in strict mode because it can't
cope with the current BGP table size.


More information about the cisco-nsp mailing list