Dell PowerConnect J-EX4200-24T Software Manual page 973

Overview and Topology
Configuration
CLI Quick
Configuration
Large amounts of unauthorized traffic such as attempts to flood a network with fake
(bogus) service requests in a denial-of-service (DoS) attack can consume network
resources and deny service to legitimate users. One way to help prevent DoS and
distributed denial-of-service (DDoS) attacks is to verify that incoming traffic originates
from legitimate network sources.
Unicast RPF helps ensure that a traffic source is legitimate (authorized) by comparing
the source address of each packet that arrives on an interface to the forwarding-table
entry for its source address. If the switch uses the same interface that the packet arrived
on to reply to the packet's source, this verifies that the packet originated from an
authorized source, and the switch forwards the packet. If the switch does not use the
same interface that the packet arrived on to reply to the packet's source, the packet
might have originated from an unauthorized source, and the switch discards the packet.
This example uses two J-EX8200 switches. On J-EX4200 switches, you cannot configure
individual interfaces for unicast RPF. On J-EX4200 switches, the switch applies unicast
RPF globally to all interfaces on the switch. See "Understanding Unicast RPF for J-EX
Series Switches" on page 872 for more information on limitations regarding the
configuration of unicast RPF on J-EX4200 switches.
In this example, an enterprise network's system administrator wants to protect Switch
A against potential DoS and DDoS attacks from the Internet. The administrator configures
unicast RPF on interface
ge-1/0/10
on Switch A from the Switch B source also use incoming interface
return path to send packets back to the source.
The topology of this configuration example uses two J-EX8200 switches, Switch A and
Switch B, connected by symmetrically routed interfaces:
Switch A is on the edge of an enterprise network. The interface
connects to the interface
Switch B is on the edge of the service provider network that connects the enterprise
network to the Internet.
To enable unicast RPF, perform these tasks:
To quickly configure unicast RPF on Switch A, copy the following command and paste
it into the switch terminal window:
[edit interfaces]
set ge-1/0/10 unit 0 family inet rpf-check
Chapter 51: Examples: Interfaces Configuration
on Switch A. Packets arriving on interface
on Switch B.
ge-1/0/5
ge-1/0/10
as the best
ge-1/0/10
ge-1/0/10 on Switch A
901