[c-nsp] BCP 38 on single-mode uRPF platforms?
Pete Templin
petelists at templin.org
Fri Mar 20 09:56:06 EDT 2009
Jerimiah Cole wrote:
> Pete Templin wrote:
> ...
> > I'm now leaning towards 'reachable-via any' on
>> all Internet customer ports, with per-port (per-customer) ACLs to
>> prevent spoofing.
>>
>> Aside from having to maintain those per-port/per-customer ACLs and a
>> risk to multi-homed customers if 'reachable-via rx' gets triggered
>> accidentally,
> ...
>
> For me, the biggest benefit of uRPF is not having to maintain the ACLs.
> I've seen at least one large transit provider that seems to run
> 'reachable-via rx' on customer interfaces (or at least on interfaces
> that I've connected to). It also honors no-export, so there's only a
> small loss of control.
You're right, uRPF (normally) means you don't have to maintain the ACLs.
However, on the Sup720, it doesn't behave the same. If you configure
one customer with 'ip ve u s r a allow-s' and then configure a second
customer with 'ip ve u s r r allow-s', the BOX AS A WHOLE now applies
the equivalent of 'ip ve u s r r allow-s' to all customers who have 'ip
ve *' configured. It's a global mode, even though it's specific
commands. The PFC isn't capable of applying different uRPF behaviors to
the ports. Therefore, I have a reasonably refined solution in mind (use
uRPF in 'reachable-via any' so that all customers can at least come
under the control of our centralized blackhole infrastructure, but
multihomed customers can still send traffic they ought to be able to send.
pt
More information about the cisco-nsp
mailing list