[c-nsp] benefit of uRFP with ACL over ACL on interface
Florian Weimer
fw at deneb.enyo.de
Wed Sep 8 17:39:24 EDT 2004
* Pekka Savola:
>> In addition, certain common ACL entries (such as anti-spoofing
>> filters) don't fit very well into the general ACL structure and thus
>> require quite a bit of TCAM space. Using uRPF might reduce TCAM usage
>> in such a case. Of course, this is only relevant on very few
>> platforms. You often can't use uRPF in strict mode because it can't
>> cope with the current BGP table size.
>
> Why would one want to run uRPF in strict mode on an interface over
> which you get a full BGP feed?
What about the following scenario: You'd like to prevent that packets
from spoofed sources within your network from entering your network?
> Or is the implementation so flawed that it requires to conserve
> "double space" of all the routes on the system, even if they weren't
> used on that particular interface?
Hmm, I've never tried that.
More information about the cisco-nsp
mailing list