Its not feasible to filter packets on customer gateway routers. When you impose a packet filter on a GW router customer interface, all packets destined to that customer have to be matched to an access-list and then forwarded down the pipe or dropped. This increases the load on the router CPU, because it is used to switching the packets. Now you have to analyze each packet which takes up CPU time.
This is not a nice thing to do to a router, especially while the router is trying to keep up with 50 other customers... And if more than 1 customer wants this type of service, you start really feeling the load.
It isn't, or shouldn't be, an issue of whether the customer wants this kind of service. This is protection FROM that customer. The principle reason to not do this is the load it causes on the router. Should it be discovered that source forged packets are coming from a given customer, then you could apply this to that customer if they are not going to just be summarily cut off. Perhaps, in time, security demands may require doing more of this. Or they may require more kinds of traceability of where the bad packets are coming from (also costly). -- Phil Howard KA9WGN +-------------------------------------------------------+ Linux Consultant | Linux installation, configuration, administration, | Milepost Services | monitoring, maintenance, and diagnostic services. | phil at milepost.com +-------------------------------------------------------+