[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)

Subject: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)
From: no.spam at comcast.net (Keegan Holley)
Date: Fri, 28 Feb 2014 21:14:28 -0500
In-reply-to: <CAL9jLaZpx1SmJCUWj9Y3q=29KMb4xgzWi-p-8OOm57nR8FxR9Q@mail.gmail.com>
References: <[email protected]> <[email protected]> <CALFTrnPOLqJqLCaWQERpCVZV2jDAFfHMwhBbUUTNiFNA2hnWQw@mail.gmail.com> <CAL9jLaZpx1SmJCUWj9Y3q=29KMb4xgzWi-p-8OOm57nR8FxR9Q@mail.gmail.com>

+1 in my experience uRPF get?s enabled, breaks something or causes confusion (usually related to multi-homing) and then get?s disabled.

On Feb 28, 2014, at 11:49 AM, Christopher Morrow <morrowc.lists at gmail.com> wrote:

> On Fri, Feb 28, 2014 at 9:02 AM, Ray Soucy <rps at maine.edu> wrote:
>> If you have uRPF enabled on all your access routers then you can
>> configure routing policy such that advertising a route for a specific
>> host system will trigger uRPF to drop the traffic at the first hop, in
>> hardware.
> 
> note that 'in hardware' is dependent upon the model used...
> note that stuffing 2k (or 5 or 10 or...) extra routes into your edge
> device could make it super unhappy.
> 
> your points are valid for your designed network... they may not work everywhere.
> making the features you point out work better or be more widely known
> seems like a great idea though :)

Follow-Ups:
- Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)
  - From: rdobbins at arbor.net (Dobbins, Roland)

Next by Date: Are DomainKeys for e-mail signing dead?
Next by thread: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)
Index(es):
- Date
- Thread