[c-nsp] inbound ACl
Ian Dickinson
iand at eng.pipex.net
Tue Feb 7 10:48:03 EST 2006
You want uRPF (unicast reverse path forwarding)
see http://www.ietf.org/rfc/rfc3074.txt
But take care to read the documentation for your specific platform
(ie using this on sup2/pfc2 halves the number of prefixes your box
can hold in the tcam from 128k to 64k - is ok on sup720)
ip verify unicast source reachable-via rx
(or older style: ip verify unicast reverse-path)
Ian
Alban Dani wrote:
> Hi there,
>
> I have heard anecdotaly that in the Cisco 6500 running native IOS you can
> run a command that will imitate
> an "allow" statement on an ACL applied inbound on an interface for the ip
> address assigned to that interface.
>
> ie if you have Vlan 21 and the ip address 1.2.1.1 255.255.255.0 then by
> running this command you would implicitly
> create something that would substitute "access-list 199 permit ip 1.2.1.0
> 0.0.0.255 any".
>
> I hope I am making sense.
>
> thanks
>
> Alban
--
Ian Dickinson
Development Engineer
PIPEX
ian.dickinson at pipex.net
http://www.pipex.net
This e-mail is subject to: http://www.pipex.net/disclaimer.html
More information about the cisco-nsp
mailing list