Egress filters dropping traffic


Under what scenarios do providers install egress ACLs which could say for

1. Allow all IP traffic out on an interface foo if its coming from source
IP x.x.x.x/y
2. Drop all other IP traffic out on this interface.


I usually do ingress acl on CE facing PE interfaces , that way I can provide one level of anti spoofing on IPs "I control" . I've not had the need for an egress ACL yet but then again I think it depends on network design and habits from Day 1.

One use case though may be to mitigate DDOS attack on a customer facing link.

If you're an end node, it's BCP to block ingress from your own IP space,
and block egress NOT from your IP space.

If you're doing transit, it gets more complicated.


Question seems to be 'when do you need to drop packets', I'm sure 10
different people would give 10 different use-cases.

One use-case for this particular ACL is that the interface is used for MGMT
only, so you allow NMS network and drop everything else.