Guidelines For Configuring Unicast Rpf On Acx Series Routers - Juniper ACX1000 Configuration Manual

Guidelines for Configuring Unicast RPF on ACX Series Routers

Copyright © 2017, Juniper Networks, Inc.
Observe the following guidelines while configuring unicast RPF on ACX Series routers:
Support for physical interfaces impacts inet families only.
The RPF check to be used when routing is asymmetrical is not supported because the
unicast-reverse-path (active-paths | feasible-paths)
routing-instances routing-instance-name instance-type name routing-options
hierarchy level is not supported.
forwarding-table]
Even if uRPF checking is enabled, the reverse path checking is not performed if the
following conditions apply:
The destination IP address is not a unicast address. This applies for both IPV4 and
IPV6 packets.
The source IP address is IPV6 and the address is a link local address (FE80::/10)
The received packet is a BOOTP/DHCP packet (SIP=0.0.0.0 and
DIP=255.255.255.255)
If you enable/disable unicast RPF on live traffic, some packets are dropped while the
packet forwarding components are updating. This behavior occurs because route
reinstallation is initiated while you enable or disable uRPF.
uRPF is supported at the logical interface level. Due to hardware limitations, support
is available only at the logical interface level.
Strict mode on ECMP routes is not supported in ACX. This condition occurs because
the hardware treats ECMP routes as Loose Mode although the port is configured as
Strict mode. Because ECMP uses multiple physical paths for the route the reverse path
check results in utilizing many paths (routes) and the source port validation method
is not used in case of Strict mode. As a result, such a network scenario operates in the
same manner as loose mode.
When the strict mode is enabled on the interface, if the packet is coming with an SIP
address which ARP resolution is pending will be dropped as it points to RESOLVE_NH.
uRPF fail filter can be configured for family <inet | inet6> in ACX.
NOTE: The uRPF fail filter cannot match packets failed at ingress port
check (strict mode).
The uRPF fail filter can match packets failing source IP lookup but cannot
match packets failing the input interface check (strict mode).
The uRPF fail filter applies only to interface-specific instances of the firewall
filter.
The uRPF fail filters do not support
uRPF can be configured for family <inet | inet6> on IRB interfaces in ACX.
Chapter 25: Configuring Layer 2 and Layer 3 Services
statement at the
reject and routing-instance
[edit
actions.
803