Everyone probably knows... But if not -- just a reminder that you can also add access-list number after 'ip verify unicast reverse-path' to allow any hosts you think that should be able to get allowed through the filter :-) It's convenient when you are doing some mobileIP+vpn stuff in which some type of setup breaks when there is egress filtering. Multihomed customers should use uRPF at their Ethernet/local interface as egress filter... Using uRPF as ingress filter at ISP connections (such as Serial3/0, Pos2/0, whatever connects to your ISP's) when you are doing BGP can be quite a nightmare.. :-D So I guess they would have to use plain-old manual access-list at their ISP-connection interfaces for ingress filtering. i.e.. ! int Gig2/0 des backbone connection, egress ip add 192.0.2.21 255.255.255.252 ip ver unicas reverse-path 180 ! int Pos3/0 des OC-3 from XXX ISP, ingress ip add 199.99.99.99 255.255.255.252 ip access 101 i ! ! acc 101 remark plain-old regular ingress filter for multihomed networks acc 101 den ip $my_network an acc 101 den ip 10.0.0.0 0.255.255.255 an acc 101 den ip 172.16.0.0 0.15.255.255 an acc 101 den ip 192.168.0.0 0.0.255.255 an acc 101 per ip an an acc 180 remark exceptions to egress filtering acc 180 per ip host 199.59.9.110 an ! ! -hc Chris Adams wrote:
Once upon a time, John Kristoff <jtk@aharp.is-net.depaul.edu> said:
It might be nice if all router vendors were able to associate the interface configured address(es)/nets as a variable for ingress filters. So for in the Cisco world, a simple example would be:
interface Serial0 ip address 192.0.2.1 255.255.255.128 ip access-group 100 in ! interface Serial1 ip address 192.0.2.129 255.255.255.128 ip access-group 100 in ! access-list 100 permit ip $interface-routes any access-list 100 deny ip any any
How is this different than "ip verify unicast reverse-path" (modulo CEF problems and bugs, which of course NEVER happen :-) )?
Multihomed customers are more interesting, but if all the single homed customers had uRPF (or $VENDOR's equivalent) enabled it would cut down on a significant amount of the spoofed traffic.