On 2/5/14, 1:24 PM, Jay Ashworth wrote:
----- Original Message -----
From: "Octavio Alvarez" <alvarezp@alvarezp.ods.org>
Maybe I'm oversimplifying things but I'm really curious to know why can't the nearest-to-end-user ACL-enabled router simply have an ACL to only allows packets from end-users that has a valid source-address from the network segment they provide service to.
The common answer, Octavio, at least *used to* be "our line cards aren't smart enough to implement strict-unicast-RPF, and our boxes don't have enough horsepower to handle every packet through the CPU".
As I've noted, I'm not sure I believe that's true of current generation gear, and if it *is*, then it should cost manufacturers business.
There are boxes that haven't aged out of the network yet where that's an issue, some are more datacenter-centric than others. force10 e1200 was one platform that had this limitation for example.
Cheers, -- jra