[c-nsp] BCP 38 on single-mode uRPF platforms?
Pete Templin
petelists at templin.org
Wed Mar 18 11:27:07 EDT 2009
List,
I'm re-evaluating my BCP 38 strategy on my customer-facing Sup720-3BXL
platforms, and would like to hear from the list on what you're doing in
similar situations. Since the uRPF logic on these platforms is limited
to a global setting of 'reachable-via any' OR 'reachable-via rx', I'm
starting to re-think the use of this tool. Since it's also beneficial
in source blackholing, I'm now leaning towards 'reachable-via any' on
all Internet customer ports, with per-port (per-customer) ACLs to
prevent spoofing.
Aside from having to maintain those per-port/per-customer ACLs and a
risk to multi-homed customers if 'reachable-via rx' gets triggered
accidentally, does anyone have other twists they'd like to suggest or
other pitfalls they see? Is there any way to globally lock the uRPF
behavior to '...any' to avoid surprises?
Thanks,
Pete
More information about the cisco-nsp
mailing list