[c-nsp] inbound ACl

Ian Dickinson iand at eng.pipex.net
Tue Feb 7 10:48:03 EST 2006

You want uRPF (unicast reverse path forwarding)
see http://www.ietf.org/rfc/rfc3074.txt
But take care to read the documentation for your specific platform
(ie using this on sup2/pfc2 halves the number of prefixes your box
can hold in the tcam from 128k to 64k - is ok on sup720)

ip verify unicast source reachable-via rx

(or older style: ip verify unicast reverse-path)


Alban Dani wrote:
> Hi there,
> I have heard anecdotaly that in the Cisco 6500 running native IOS you can
> run a command that will imitate
> an "allow" statement on an ACL applied inbound on an interface for the ip
> address assigned to that interface.
> ie if you have Vlan 21 and the  ip address then by
> running this command you would implicitly
> create something that would substitute "access-list 199 permit ip
> any".
> I hope I am making sense.
> thanks
> Alban
Ian Dickinson
Development Engineer
ian.dickinson at pipex.net

This e-mail is subject to: http://www.pipex.net/disclaimer.html

More information about the cisco-nsp mailing list