The reverse-path check is best applied at the CPE router or the access router, not in your backbone. If you end up with asymmetric routing (a common occurrence these days) there may not be a reverse path for that packet you just got from your neighbor and (plop) a valid packet (or thousand) get dropped when they should not have been.
The assymetric routing I've seen is generally outside of our network, e.g. BGP inconsistency where our traffic to www.otherisp.com goes one way and their traffic to us comes in another. Even then we do have BOTH routes to them most of the time, using only a preferred one. But within our own network, I strive to make sure there are no asymmetric routes anywhere.
I also don't think it's such a hot idea to be universally filtering "n.n.n.255" without explicit prior knowledge of the netmask of the network involved. Apple Computer, for example, used a 14 bit subnet mask on net 17 and we used every address in the 10-bit host space that was available to use with that scheme, including the three where the last octet is 255. Make certain that all your customers know that you're doing this - otherwise they may be puzzling over why connectivity works from every address in their net number, except for one or two...
We filter n.n.n.255 on incoming only, not on outgoing. That's safe for us to do because none of our subnets are larger than /24. We have only one customer with more than a /24 and their network is all subnetted with lots of smaller than /26 anyway. All space allocations to customers go through me and I will be checking out anything larger than /24 for certain reasons other than n.n.n.255. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --