[NCLUG] Egress Filtering

John L. Bass jbass at dmsd.com
Wed Aug 15 00:19:27 MDT 2001


	and i still claim that if you are already applying an access list to that
	interface, adding these 3 lines to the top off your list won't break your
	router or be the root cause of any trouble that router might be having.

	 -- mike cullerton

This is certainly not true of ATM gear I was programming several years back,
where for each ATM frame the IP context isn't even visible.

On high speed interfaces, it's likely that ACL's are implemented based upon
source/destination ports and/or ASN's without looking at the IP headers, thru
careful construction of each incomming port forwarding table. The only place
where full IP packets are assembled and evaluationed are edge routers for the
cloud, and exception routers at the switch when a new destination port ID for
the cloud is encountered.

For the ATM edge router I was working with, it's supporting switch was programmed
to implement ACL's by hard mapping an incomming ports forwarding table. The port
forwarding table entry was flagged as "discard" for all destination port ID's the
incomming port was not allowed to source packets for.

John



More information about the NCLUG mailing list