North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: source filtering

  • From: Phillip Vandry
  • Date: Tue Jan 12 18:24:01 1999

> On Tue, Jan 12, 1999 at 05:51:36PM +0000, Alex Bligh wrote:
> > > 	2) Using the "ip verifiy unicast reverse-path" Cisco feature
> > > (it's in 11.1CC images when you use CEF, so I don't get a flood
> > > of e-mails)
> > 
> > I'm sure far more people would source filter if Cisco put this
> > in CPE routers.
> 
> 	This does not mean you can't filter on your fastether,
> ether, fddi, etc.. that goes to customer aggregation boxes, or on
> the T1 where that connectivity hits your core backbone node, (I
> understand there are cases where this would not work, for some
> larger customers perhaps), but for most cases, this would be possible.

The problem with filtering "far" from your edge is that if you have
customers that need to be excepted, you need to except the whole
bunch of them that goes through that aggregated interface.

Any multihomed customer needs to be excepted if there's any chance
they're going to do asymetric routing -- so long as they commit to
filtering at their edge.

You *need* to filter close to your edge.

-Phil