|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: 69/8...this sucks -- Centralizing filtering..
On Mon, Mar 10, 2003 at 01:39:26PM -0600, Jack Bates wrote: > > Oh, I agree that there are times when BGP is used in a single uplink > scenario, but it is not common. However, someone pointed me to ip verify > unicast source reachable-via any which seems to be available on some of the > cisco Service provider releases. It's an interesting concept and I'm itching > to play with it. If you aren't in my routing table, then why accept the IP > address? I've been using this method to do "loose source verification" for a while now, and it's certainly better than nothing, but it doesn't really do as much as it should when you only receive a partial table from a peer. I've been toying with the idea of supporting strict reverse path verification on peering links by using vrfs. It works really well in the Lab, but migrating the whole network into an MPLS VPN just to get some extra source filtering ability seems a little extreme to me for some reason... ;) It'd work really well if Cisco allowed the global table as a vrf import/export target though. -- Russell Heilling http://www.ccie.org.uk PGP: finger [email protected] Attachment:
pgp00004.pgp
|