The reverse-path check is best applied at the CPE router or the access router, not in your backbone. If you end up with asymmetric routing (a common occurrence these days) there may not be a reverse path for that packet you just got from your neighbor and (plop) a valid packet (or thousand) get dropped when they should not have been. I also don't think it's such a hot idea to be universally filtering "n.n.n.255" without explicit prior knowledge of the netmask of the network involved. Apple Computer, for example, used a 14 bit subnet mask on net 17 and we used every address in the 10-bit host space that was available to use with that scheme, including the three where the last octet is 255. Make certain that all your customers know that you're doing this - otherwise they may be puzzling over why connectivity works from every address in their net number, except for one or two... Erik <fair@clock.org>