-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Monday, November 04, 2002 19:22:14 -0500 bdragon@gweep.net wrote:
So, in this vein, is there gear other than old 12000 linecards that can't do RPF? Is anyone still using 2500's or 4500's?
What non-hardware reasons are there not to do some flavor of rpf? Is there a situation where even loose rpf will not work?
SUNET has had a standing recommendation to its customers to enable RPF for a couple of years now. Our customers come in two flavours, big and small. The small ones get a FE, and there typically is marginal clue at the customer site. For them we do "the long command" (ip verify unicast reverse-path), as it has been known, in the access router, which in the weird scale of a REN is a 12016 or a 12010 chock full with 8-port FE cards. It keeps up with the load, and we've not seen any trouble so far. The big customers are more interesting. They have redundant connections, two 10720 routers on an OC48 SRP ring facing the backbone routers for that city which are two 12408 or similar. There also is an AS transition on the ring; nearly all our big customers have ASen and we speak BGP to them. This setup of course means that traffic may enter via one of the routers and exit via the other, leading to strangeness and confusion, especially when the customer staff is less experienced in non-trivial routing. In some cases we've helped them solve this by simple access lists, but that is a bit too static to be really nice. - -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9x4ry02/pMZDM1cURAkFKAJ99xAl0kWLTK1DpVn1kSOTEHb5kUwCeIcNu C0fOzo0ekX7DFyOh/rmFEhc= =yCn8 -----END PGP SIGNATURE-----