[c-nsp] benefit of uRFP with ACL over ACL on interface
Pekka Savola
pekkas at netcore.fi
Thu Sep 9 02:53:35 EDT 2004
On Wed, 8 Sep 2004, Florian Weimer wrote:
> * Pekka Savola:
> >> In addition, certain common ACL entries (such as anti-spoofing
> >> filters) don't fit very well into the general ACL structure and thus
> >> require quite a bit of TCAM space. Using uRPF might reduce TCAM usage
> >> in such a case. Of course, this is only relevant on very few
> >> platforms. You often can't use uRPF in strict mode because it can't
> >> cope with the current BGP table size.
> >
> > Why would one want to run uRPF in strict mode on an interface over
> > which you get a full BGP feed?
>
> What about the following scenario: You'd like to prevent that packets
> from spoofed sources within your network from entering your network?
Do a normal ACL about those (that's what we do)?
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the cisco-nsp
mailing list