[c-nsp] URPF MAC check
Aled Morris
aledm at qix.co.uk
Fri Nov 23 06:15:30 EST 2012
On 23 November 2012 11:06, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Nov 23, 2012, at 5:49 PM, Aled Morris wrote:
>
> > It would be handy if URPF could use both the L3 FIB (as it does now) and
> the L2 ARP table to validate source addressess
>
> I guess I don't understand what you mean by this . . .
>
> Regarding some combination of layer-2 and layer-3, how would your box have
> prior knowledge of what path(s) packets are going to take through the
> Internet to reach the given interface on your box?
>
When URPF has a packet, it checks the L3 forwarding table to get the L3
next hop for the given packet's source IP address.
What I'm suggesting is that it would then use the ARP table for that L3
next hop IP address to further validate the packet in hand.
Does that explain what I am trying to ask for?
Aled
More information about the cisco-nsp
mailing list