[c-nsp] benefit of uRFP with ACL over ACL on interface

Pekka Savola pekkas at netcore.fi
Thu Sep 9 02:53:35 EDT 2004


On Wed, 8 Sep 2004, Florian Weimer wrote:
> * Pekka Savola:
> >> In addition, certain common ACL entries (such as anti-spoofing
> >> filters) don't fit very well into the general ACL structure and thus
> >> require quite a bit of TCAM space.  Using uRPF might reduce TCAM usage
> >> in such a case.  Of course, this is only relevant on very few
> >> platforms.  You often can't use uRPF in strict mode because it can't
> >> cope with the current BGP table size.
> >
> > Why would one want to run uRPF in strict mode on an interface over 
> > which you get a full BGP feed?
> 
> What about the following scenario: You'd like to prevent that packets
> from spoofed sources within your network from entering your network?

Do a normal ACL about those (that's what we do)?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings




More information about the cisco-nsp mailing list