On Thu, Oct 15, 2020 at 10:30 AM Saku Ytti <s...@ytti.fi> wrote: > On Thu, 15 Oct 2020 at 17:22, Tim Durack <tdur...@gmail.com> wrote: > > > > We deploy urpf strict on all customer end-host and broadband circuits. > In this scenario urpf = ingress acl I don't have to think about. > > But you have to think about what prefixes a customer has. If BGP you > need to generate prefix-list, if static you need to generate a static > route. As you already have to know and manage this information, what > is the incremental cost to also emit an ACL? > > -- > ++ytti >
"You might argue that ingress packet acl would be operationally simpler on customer and upstream, as you could cover all scenarios." Although for a static customer urpf is hard to beat... -- Tim:>
