[c-nsp] inbound ACl

Tim Stevenson tstevens at cisco.com
Tue Feb 7 11:57:09 EST 2006

At 07:48 AM 2/7/2006, Ian Dickinson submitted:
>You want uRPF (unicast reverse path forwarding)
>see http://www.ietf.org/rfc/rfc3074.txt

Ah, yes, that fits the bill better than my suggestion ;)

Though it does more than just permit local subnet traffic but any 
traffic sourced from a prefix reachable out that interface (assuming 
strict mode).

>But take care to read the documentation for your specific platform
>(ie using this on sup2/pfc2 halves the number of prefixes your box
>can hold in the tcam from 128k to 64k - is ok on sup720)

256 to 128 actually. Also, be careful on 6500 cuz it's a global mode 
(strict or loose) for all uRPF enabled interfaces & don't use 
exception ACLs with uRPF as it will punt to s/w.


>ip verify unicast source reachable-via rx
>(or older style: ip verify unicast reverse-path)
>Alban Dani wrote:
> > Hi there,
> >
> > I have heard anecdotaly that in the Cisco 6500 running native IOS you can
> > run a command that will imitate
> > an "allow" statement on an ACL applied inbound on an interface for the ip
> > address assigned to that interface.
> >
> > ie if you have Vlan 21 and the  ip address then by
> > running this command you would implicitly
> > create something that would substitute "access-list 199 permit ip
> > any".
> >
> > I hope I am making sense.
> >
> > thanks
> >
> > Alban
>Ian Dickinson
>Development Engineer
>ian.dickinson at pipex.net
>This e-mail is subject to: http://www.pipex.net/disclaimer.html
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list