Table of Contents
Advertisement
Complete Software Guide for Junos
Configuring Unicast RPF (CLI Procedure)
1162
®
OS for EX Series Ethernet Switches, Release 10.3
Unicast reverse-path forwarding (RPF) can help protect your LAN from denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks on untrusted interfaces. Enabling
unicast RPF on the switch interfaces filters traffic with source addresses that do not use
the incoming interface as the best return path back to the source. When a packet comes
into an interface, if that interface is not the best return path to the source, the switch
discards the packet. If the incoming interface is the best return path to the source, the
switch forwards the packet.
NOTE: On EX3200 and EX4200 switches, you can only enable unicast RPF
globally, on all switch interfaces. You cannot enable unicast RPF on a
per-interface basis.
Before you begin:
On an EX8200 switch, ensure that the selected switch interface is symmetrically routed
before you enable unicast RPF. A symmetrically routed interface is an interface that
uses the same route in both directions between the source and the destination. Do not
enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed
interface uses different paths to send and receive packets between the source and
the destination.
On an EX3200 or EX4200 switch, ensure that all switch interfaces are symmetrically
routed before you enable unicast RPF on an interface. When you enable unicast RPF
on any interface, it is enabled globally on all switch interfaces. Do not enable unicast
RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses
different paths to send and receive packets between the source and the destination.
To enable unicast RPF, configure it explicitly on a selected customer-edge interface:
[edit interfaces]
user@switch# set ge-1/0/10 unit 0 family inet rpf-check
BEST PRACTICE: On EX3200 and EX4200 switches, unicast RPF is enabled
globally on all switch interfaces, regardless of whether you configure it
explicitly on only one interface or only on some interfaces.
On EX3200 and EX4200 switches, we recommend that you enable unicast
RPF explicitly on either all interfaces or only one interface. To avoid possible
confusion, do not enable it on only some interfaces:
Enabling unicast RPF explicitly on only one interface makes it easier if you
choose to disable it in the future because you must explicitly disable unicast
RPF on every interface on which you explicitly enabled it. If you explicitly
enable unicast RPF on two interfaces and you disable it on only one
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
