Understanding Unicast Rpf For Ex Series Switches - Juniper JUNOS OS 10.3 - SOFTWARE Manual

Understanding Unicast RPF for EX Series Switches

Unicast RPF for EX Series Switches Overview
Copyright © 2010, Juniper Networks, Inc.
Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source
address of each packet that arrives on an ingress interface where unicast RPF is enabled.
It also helps ensure that traffic arriving on ingress interfaces comes from a network source
that the receiving interface can reach.
When you enable unicast RPF, the switch forwards a packet only if the receiving interface
is the best return path to the packet's unicast source address. This is known as strict
mode unicast RPF.
NOTE: On Juniper Networks EX3200 and EX4200 Ethernet Switches, the
switch applies unicast RPF globally to all interfaces when unicast RPF is
configured on any interface. For additional information, see "Limitations of
the Unicast RPF Implementation on EX3200 and EX4200 Switches" on
page 1108.
This topic covers:
Unicast RPF for EX Series Switches Overview on page 1105
Unicast RPF Implementation for EX Series Switches on page 1106
When to Enable Unicast RPF on page 1106
When Not to Enable Unicast RPF on page 1107
Limitations of the Unicast RPF Implementation on EX3200 and EX4200
Switches on page 1108
Unicast RPF functions as an ingress filter that reduces the forwarding of IP packets that
might be spoofing an address. By default, unicast RPF is disabled on the switch interfaces.
The type of unicast RPF provided on the switches—that is, strict mode unicast RPF is
especially useful on untrusted interfaces. An untrusted interface is an interface where
untrusted users or processes can place packets on the network segment.
The switch supports only the active paths method of determining the best return path
back to a unicast source address. The active paths method looks up the best reverse
path entry in the forwarding table. It does not consider alternate routes specified using
routing-protocol-specific methods when determining the best return path.
If the forwarding table lists the receiving interface as the interface to use to forward the
packet back to its unicast source, it is the best return path interface. Strict mode unicast
RPF recognizes only one best return path to a unicast source address.
Use strict mode unicast RPF only on symmetrically routed interfaces. (For information
about symmetrically routed interfaces, see "When to Enable Unicast RPF" on page 1106.)
Chapter 50: Interfaces—Overview
1105