----- Original Message -----
From: "Octavio Alvarez" <alvarezp@alvarezp.ods.org>
Maybe I'm oversimplifying things but I'm really curious to know why can't the nearest-to-end-user ACL-enabled router simply have an ACL to only allows packets from end-users that has a valid source-address from the network segment they provide service to.
The common answer, Octavio, at least *used to* be "our line cards aren't smart enough to implement strict-unicast-RPF, and our boxes don't have enough horsepower to handle every packet through the CPU". As I've noted, I'm not sure I believe that's true of current generation gear, and if it *is*, then it should cost manufacturers business. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274