[c-nsp] ACL vs IP verify unicast: TCAM entries
Phil Mayers
p.mayers at imperial.ac.uk
Fri Oct 3 12:15:47 EDT 2008
>
> What is the mechanism employed by "ip verify unicast"? Does it create
> on-the-fly an ACL for each
> interface that it is applied to containg in my case just one entry that
> matches the network address
> of the interface? In this case in a typical BRAS terminating 16000 users
> would require 16000 dynamically
> created unique ACLs (or policy-lists in the ERX).
I do not think it works like that on Cisco kit.
I think it basically does this:
output_interfaces = cef_lookup(src)
if input_interface in output_interface:
forward
else
drop
...that is, each packet effectively has 2 route lookups; one on the
source IP to check the packet has come in on a valid interface, then a
2nd on the destination IP to actually forward the packet.
I have no idea what the ERX does - best ask on a Juniper list.
I would recommend using uRPF unless you have a compelling reason not to.
More information about the cisco-nsp
mailing list