[c-nsp] URPF MAC check

Saku Ytti saku at ytti.fi
Fri Nov 23 07:57:05 EST 2012


On (2012-11-23 12:44 +0000), Dobbins, Roland wrote:

> So, would IP Source Guard with static bindings do the trick, assuming that it's possible to bind something shorter than a /32?

I don't see how. Application that immediately came to my mind, after
reading OP is this.

We often buy L2 access as service. There are business offerings and
residential offerings. Business is 1 VLAN 1 customer. Residential is 1 VLAN
many customers, providers handles L2 security, rest is up-to-you (usually
local-proxy-arp to connect the hosts in shared subnet)

Residential is much cheaper.

So if I did have uRPF/strict with SMAC checking. I could provision business
connections with BGP here. And one customer could not use source IP
addresses of another customer, as I'd also check SMAC. I wouldn't need to
maintain any manual filter either.


Maybe there are scenarios, where above type of solution is only practical
one available, and now you're forced to run GRE with reduced MTU to solve
it. But it might be completely niche too.

-- 
  ++ytti


More information about the cisco-nsp mailing list