[c-nsp] ACL limitations on Sup720/PFC3BXL
Robert Hass
robhass at gmail.com
Fri Dec 17 05:18:41 EST 2010
Hi
I would like to implement uRPF together with Inbound ACL on Customer
connected SVIs.
Will Sup720/PFC3BXL hardware support this without problems ?
My 6500 configuration looks like this:
1) Around ~200 SVIs with customers. On all SVIs uRPF is enabled to
prevent spoofing:
int VlanXXX
description Customer SVI - ID: xxxxxxx
ip address ... ...
ip verify unicast source reachable-via rx allow-default
no ip redirects
no ip proxy-arp
no ip unreachables
Here Inbound ACL will be added - 'ip access-group from-Customers-IN in'.
2) Two SVIs to Core routers
int VlanYYY
description To core1
ip address x.x.x.x 255.255.255.252
ip access-group from-CORE-to-EDGE-Inbound in
ip router isis
no ip redirects
no ip proxy-arp
no ip unreachables
Robert
More information about the cisco-nsp
mailing list