Configuring Unicast Rpf On Acx Series Routers - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide
Related
Documentation

Configuring Unicast RPF on ACX Series Routers

804
uRPF implementation in ACX does not consider all feasible paths for reverse path
verification and only active path based verification is supported.
uRPF failure packets statistics are not supported in ACX.
You can use either the
show interfaces extensive
command to verify that unicast RPF is enabled and working on the interface. In the
section of the output, if unicast reverse-path forwarding (RPF) is explicitly
Flags
configured on the specified interface, the uRPF flag is displayed. If unicast RPF was
configured on a different interface (and therefore is enabled on all switch interfaces)
but was not explicitly configured on the specified interface, the uRPF flag is not
displayed even though unicast RPF is enabled.
The uRPF detail in the Flags
commands is displayed only for logical interfaces on which uRPF is
extensive)
configured. Otherwise, this information is not shown.
IP spoofing can occur during a denial-of-service (DoS) attack. IP spoofing allows an
intruder to pass IP packets to a destination as genuine traffic, when in fact the packets
are not actually meant for the destination. This type of spoofing is harmful because it
consumes the destination's resources.
A unicast reverse-path-forwarding (RPF) check is a tool to reduce forwarding of IP packets
that might be spoofing an address. A unicast RPF check performs a route table lookup
on an IP packet's source address, and checks the incoming interface. The router or switch
determines whether the packet is arriving from a path that the sender would use to reach
the destination. If the packet is from a valid path, the router or switch forwards the packet
to the destination address. If it is not from a valid path, the router or switch discards the
packet. Unicast RPF is supported for the IPv4 and IPv6 protocol families, as well as for
the virtual private network (VPN) address family.
NOTE: If you want to configure unicast RPF, your router must be equipped
with the Internet Processor II application-specific integrated circuit (ASIC).
If you enable unicast RPF on live traffic, some packets are dropped while the
packet forwarding components are updating.
For transit packets exiting the router through the tunnel, forwarding path
features, such as RPF, forwarding table filtering, source class usage, and
destination class usage are not supported on the interfaces you configure as
the output interface for tunnel traffic. For firewall filtering, you must allow
the output tunnel packets through the firewall filter applied to input traffic
on the interface that is the next-hop interface towards the tunnel destination.
command or the
section of the output of the
Copyright © 2017, Juniper Networks, Inc.
show interfaces detail
show interfaces (detail |