Jerimiah Cole wrote:
Pete Templin wrote:
...
> I'm now leaning towards 'reachable-via any' on
all Internet customer ports, with per-port (per-customer) ACLs to
prevent spoofing.
Aside from having to maintain those per-port/per-customer ACLs and a
risk to multi-homed customers if 'reachable-via rx' gets triggered
accidentally,
...
For me, the biggest benefit of uRPF is not having to maintain the ACLs.
I've seen at least one large transit provider that seems to run
'reachable-via rx' on customer interfaces (or at least on interfaces
that I've connected to). It also honors no-export, so there's only a
small loss of control.
You're right, uRPF (normally) means you don't have to maintain the ACLs.
However, on the Sup720, it doesn't behave the same. If you configure
one customer with 'ip ve u s r a allow-s' and then configure a second
customer with 'ip ve u s r r allow-s', the BOX AS A WHOLE now applies
the equivalent of 'ip ve u s r r allow-s' to all customers who have 'ip
ve *' configured. It's a global mode, even though it's specific
commands. The PFC isn't capable of applying different uRPF behaviors to
the ports. Therefore, I have a reasonably refined solution in mind (use
uRPF in 'reachable-via any' so that all customers can at least come
under the control of our centralized blackhole infrastructure, but
multihomed customers can still send traffic they ought to be able to send.
pt
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
