I would prefer to. For quite a while ago people did ingress spoof acls by hand (or by script) - those that did them at all. Once urpf came along people kind of stopped doing that because the way urpf is implemented is that it's automatic. Still doesn't mean the whole world uses urpf or even spoof acls in 2009 but those that use them tend to believe that they're effective. Similarly iACLs protect your network if you bother to implement them. Why wouldn't I want to filter on labels if I had the choice? IF implemented properly it should be one more option under the interface config and that's that.
The other side reloading their box isn't a problem as I'd filter on ingress ;-) Kaj > From: Daniel Holme <[email protected]> > Date: Thu, 10 Sep 2009 01:59:38 -0700 > To: Kaj Niemi <[email protected]> > Cc: <[email protected]>, Francisco <[email protected]>, > <[email protected]>, Jo Knight <[email protected]>, Bryan Bartik > <[email protected]> > Subject: RE: [OSL | CCIE_SP] Inter-AS VPN Option B and send-label > > Would you perform label filtering from a foreign AS with which you were > doing inter-AS VPN option B. > > What if they reloaded their box and changed all their labels?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
