[c-nsp] BCP 38 on single-mode uRPF platforms?
Jerimiah Cole
jcole at thend.org
Fri Mar 20 12:34:36 EDT 2009
Pete Templin wrote:
...
> I'm now leaning towards 'reachable-via any' on
> all Internet customer ports, with per-port (per-customer) ACLs to
> prevent spoofing.
>
> Aside from having to maintain those per-port/per-customer ACLs and a
> risk to multi-homed customers if 'reachable-via rx' gets triggered
> accidentally,
...
For me, the biggest benefit of uRPF is not having to maintain the ACLs.
I've seen at least one large transit provider that seems to run
'reachable-via rx' on customer interfaces (or at least on interfaces
that I've connected to). It also honors no-export, so there's only a
small loss of control.
Jerimiah
More information about the cisco-nsp
mailing list