[c-nsp] inbound ACl
Tim Stevenson
tstevens at cisco.com
Tue Feb 7 11:57:09 EST 2006
At 07:48 AM 2/7/2006, Ian Dickinson submitted:
>You want uRPF (unicast reverse path forwarding)
>see http://www.ietf.org/rfc/rfc3074.txt
Ah, yes, that fits the bill better than my suggestion ;)
Though it does more than just permit local subnet traffic but any
traffic sourced from a prefix reachable out that interface (assuming
strict mode).
>But take care to read the documentation for your specific platform
>(ie using this on sup2/pfc2 halves the number of prefixes your box
>can hold in the tcam from 128k to 64k - is ok on sup720)
256 to 128 actually. Also, be careful on 6500 cuz it's a global mode
(strict or loose) for all uRPF enabled interfaces & don't use
exception ACLs with uRPF as it will punt to s/w.
Cheers,
Tim
>ip verify unicast source reachable-via rx
>
>(or older style: ip verify unicast reverse-path)
>
>Ian
>
>Alban Dani wrote:
> > Hi there,
> >
> > I have heard anecdotaly that in the Cisco 6500 running native IOS you can
> > run a command that will imitate
> > an "allow" statement on an ACL applied inbound on an interface for the ip
> > address assigned to that interface.
> >
> > ie if you have Vlan 21 and the ip address 1.2.1.1 255.255.255.0 then by
> > running this command you would implicitly
> > create something that would substitute "access-list 199 permit ip 1.2.1.0
> > 0.0.0.255 any".
> >
> > I hope I am making sense.
> >
> > thanks
> >
> > Alban
>--
>Ian Dickinson
>Development Engineer
>PIPEX
>ian.dickinson at pipex.net
>http://www.pipex.net
>
>This e-mail is subject to: http://www.pipex.net/disclaimer.html
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
More information about the cisco-nsp
mailing list