Where is the edge of the Internet? Re: no ip forged-source-address

bdragon at gweep.net bdragon at gweep.net
Thu Nov 7 19:55:47 UTC 2002

> Ok, so I'll respond to one more of the messages I missed yesterday.
> On Mon, 4 Nov 2002, Matt Buford wrote:
> > On Mon, 4 Nov 2002 sean at donelan.com wrote:
> > > The only equipment I'm heard here which has serious issues related to
> > > feature availability is the 12000 (which was never a particularly good
> > > aggregation device to begin with). RPF works fine on 7200, 7500, and
> > > 6500, from my experience. I've not used 12000's for customer aggregation
> > > since they historically haven't been designed for or adequate in that
> > > respect.

The above was actually me, not Sean, iirc.

> Alot of large providers have 'all 12000' or 'alot of 12000' devices, so
> this is a hint at the problem :( Most large, where large == continental,
> providers  don't have very many 7200/6500 gear in their network.

Someone else just mentioned running RPF on 12000 without issue, except
for SRP rings. I can't confirm that myself, as we avoided using 12000
for customer aggregation due to their poor performance in that arena.

RPF on ubr7200, 7200vxr, 7500, and 6500 all seem to work fine.

> Keep in mind that sometimes what platform you choose 12 months ago you may
> get stuck with in a longer term than originally anticipated. That platform
> may have been chosen because it was the only viable platform at the
> initial buy time :(

Definately understandable.

> > > As such, I can understand providers not being able to apply RPF
> > immediately
> > > on 12000's, at least unless they are acquiring E3 cards for new installs.
> >

> Wow, by E3 I assume you mean: Engine 3... This is a VERY BAD PLAN, if my
> experience with them is anything to judge from. Both E2 and E3 cards have
> some serious limitations when it comes to access lists and uRPF. For
> instance, I've been in config mode where:
> int blah1/0.123
> ip access<tab>
> yields nothing... in other words, 'ip access-group 123 out' is not even in
> the valid config for these cards :( even more depressing is the hope that
> it'll work and the unfortunate reality that it'll apply to the interface
> and never access list any traffic at all :(

Yes, I meant Engine 3, which are the ISE cards. I don't yet have any, but
I'ld be surprised if they don't support acls on subints. Perhaps you meant
E1 and E2? Even if they don't support acls, I'ld be surprised if they
didn't support RPF.

> >From what I've heard, I haven't yet tested these, the E4+ cards are
> supposed to answer alot of the existing acl issues. One thing to keep in
> mind is that your FIB is limited to ~225k prefixes if you want to use PSA
> acls (hardware acls)on a 12000... Supposedly, if you remove PSA acl
> functionality you can punt the acl work to the linecard CPU, in reality
> the punting never happens and the traffic isn't acl'd :(

Interesting, but shouldn't affect RPF, correct?


More information about the NANOG mailing list