On 31/01/2013 13:48, Job Snijders wrote: > Hi, > > On Jan 31, 2013, at 4:37 PM, Andy Davidson <[email protected]> wrote: > >> Jon Morby wrote: >>> The problem is that BCP38 assumes that the ISP does some configuration >>> to ensure only properly sourced packets enter their network, which >>> doesn't really work unless you have a perfectly symmetrical network >>> Š. and not many ISPs do >> >> Asymmetric routing via your non-customer peers and transit partners does >> not mean you can't apply Strict uRPF facing your customers (in fact you >> should do so.)
+1 > > Unfortunately there still are many devices which don't have useful uRPF, > support, for instance on a Brocade XMR or MLX you can't enable it on > virtual ethernet interfaces (kinda like cisco BVI int's). > > telnet@modern-bro(config)#interface ve 1000 > telnet@modern-bro(config-vif-1000)#rpf-mode strict > Invalid input -> rpf-mode strict > Type ? for a list > telnet@modern-bro(config-vif-1000)#rpf-mode loose > Invalid input -> rpf-mode loose > Type ? for a list > telnet@modern-bro(config-vif-1000)# !FUUUUUU!!!!! > > - Job > What about a simple and nice ACL facing your coustomer? Cheers, as
