At 02:49 PM 9/28/2000 +0100, James A. T. Rice wrote:
ip verify unicast reverse-exists
i.e. only accept the packet on this interface if there is a route back to the source, *not necessarily on the same interface*.. This should be safe to use on all interfaces and could use the existing CEF FIB, and might catch a lot of spoofed packets on a good day.
That would only stop Bogons on most core routers (full tables, right?).
ip verify unicast destination-advertised
This would check the destination address on any packet coming into an interface, and drop it if a route to that destination WASNT advertised out of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef tables, cisco would need to write an advertised-table for each interface. Again this should be safe to use on almost any interface.
Hrmmm.... That would be nice.... But there are other ways to do this. They may or may not be useful / applicable in your environment, but it can be done without this feature.
James
TTFN, patrick