Understanding Unicast Rpf For J-Ex Series Switches - Dell PowerConnect J-EX4200-24T Software Manual

Dell PowerConnect J-Series Ethernet Switch Complete Software Guide for Junos OS

Understanding Unicast RPF for J-EX Series Switches

Unicast RPF for J-EX Series Switches Overview
872
Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source
address of each packet that arrives on an ingress interface where unicast RPF is enabled.
It also helps ensure that traffic arriving on ingress interfaces comes from a network source
that the receiving interface can reach.
When you enable unicast RPF, the switch forwards a packet only if the receiving interface
is the best return path to the packet's unicast source address. This is known as strict
mode unicast RPF.
NOTE: On J-EX4200 Ethernet Switches, the switch applies unicast RPF
globally to all interfaces when unicast RPF is configured on any interface. For
additional information, see "Limitations of the Unicast RPF Implementation
on J-EX4200 Switches" on page 875.
This topic covers:
Unicast RPF for J-EX Series Switches Overview on page 872
Unicast RPF Implementation for J-EX Series Switches on page 873
When to Enable Unicast RPF on page 873
When Not to Enable Unicast RPF on page 874
Limitations of the Unicast RPF Implementation on J-EX4200 Switches on page 875
Unicast RPF functions as an ingress filter that reduces the forwarding of IP packets that
might be spoofing an address. By default, unicast RPF is disabled on the switch interfaces.
The type of unicast RPF provided on the switches—that is, strict mode unicast RPF is
especially useful on untrusted interfaces. An untrusted interface is an interface where
untrusted users or processes can place packets on the network segment.
The switch supports only the active paths method of determining the best return path
back to a unicast source address. The active paths method looks up the best reverse
path entry in the forwarding table. It does not consider alternate routes specified using
routing-protocol-specific methods when determining the best return path.
If the forwarding table lists the receiving interface as the interface to use to forward the
packet back to its unicast source, it is the best return path interface. Strict mode unicast
RPF recognizes only one best return path to a unicast source address.
Use strict mode unicast RPF only on symmetrically routed interfaces. (For information
about symmetrically routed interfaces, see "When to Enable Unicast RPF" on page 873.)
For more information about strict unicast RPF, see RFC 3704, Ingress Filtering for
Multihomed Networks at http://www.ietf.org/rfc/rfc3704.txt.