[c-nsp] ACL vs IP verify unicast: TCAM entries

[Victor Lyapunov]

Hello All

At work we have a network of BRAS for PPP termination, consisting of Juniper
ERX and Cisco 10k.
I was wondering what is the most efficient way to filter incoming subscriber
traffic. We would like to
verify that incoming subscriber traffic is indeed sourced from the IP that
we assigned to them.

We can achieve this by either:

-Creating an ACL that is common for every subscriber (same for all routers)
that allows incoming traffic
originating from the address ranges that are assigned to us. This would
create an incoming ACL with
roughly 24 entries that would be applied to the Virtual-Access interfaces.

-Activating "ip verify unicast" in the virtual-template interface

What is the mechanism employed by "ip verify unicast"? Does it create
on-the-fly an ACL for each
interface that it is applied to containg in my case just one entry that
matches the network address
of the interface? In this case in a typical BRAS terminating 16000 users
would require 16000 dynamically
created unique ACLs (or policy-lists in the ERX).

Obviouly from a security perspective "ip verify unicast" seems to be the
optimal solution but would
consume more memory / CAM entries in ERX case. If our primary concern is
keeping the load in the
routers low, should "ip verify unicast" be considered the best solution?
>From your experience does applying
an ACL with one entry creates less load that an ACL with 24? (in theory all
entries should be processed in parallel)

Any help is welcomed