[c-nsp] benefit of uRFP with ACL over ACL on interface
Pekka Savola
pekkas at netcore.fi
Wed Sep 8 14:26:11 EDT 2004
On Wed, 8 Sep 2004, Florian Weimer wrote:
> > It all depends on what you want to achieve. uRPF when used in loose mode
> > allows for remotely triggered drops/filters in a short timeframe, which
> > is difficult to achieve with ACL.
> >
> > However, uRPF doesn't allow for filtering granularity (matching
> > protocol/ports) like what xACL allows.
>
> In addition, certain common ACL entries (such as anti-spoofing
> filters) don't fit very well into the general ACL structure and thus
> require quite a bit of TCAM space. Using uRPF might reduce TCAM usage
> in such a case. Of course, this is only relevant on very few
> platforms. You often can't use uRPF in strict mode because it can't
> cope with the current BGP table size.
Why would one want to run uRPF in strict mode on an interface over
which you get a full BGP feed? Or is the implementation so flawed
that it requires to conserve "double space" of all the routes on the
system, even if they weren't used on that particular interface?
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the cisco-nsp
mailing list