Table of Contents
Advertisement
When Not to Enable Unicast RPF
Copyright © 2010, Juniper Networks, Inc.
Figure 31: Symmetrically Routed Interfaces
Enabling unicast RPF on asymmetrically routed interfaces (where different interfaces
receive a packet and reply to its source) results in packets from legitimate sources being
filtered (discarded) because the best return path is not the same interface that received
the packet.
The following switch interfaces are most likely to be symmetrically routed and thus are
candidates for unicast RPF enabling:
The service provider edge to a customer
The customer edge to a service provider
A single access point out of the network (usually on the network perimeter)
A terminal network that has only one link
NOTE: Because unicast RPF is enabled globally on EX3200 and EX4200
switches, ensure that all interfaces are symmetrically routed before you
enable unicast RPF on those switches. Enabling unicast RPF on
asymmetrically routed interfaces results in packets from legitimate sources
being filtered.
TIP: Enabling unicast RPF as close as possible to the traffic source stops
spoofed traffic before it can proliferate or reach interfaces that do not have
unicast RPF enabled.
Typically, you will not enable unicast RPF if:
Switch interfaces are multihomed.
Switch interfaces are trusted interfaces.
BGP is carrying prefixes and some of those prefixes are not advertised or are not
accepted by the ISP under its policy. (The effect in this case is the same as filtering an
interface by using an incomplete access list.)
Switch interfaces face the network core. Core-facing interfaces are usually
asymmetrically routed.
An asymmetrically routed interface uses different paths to send and receive packets
between the source and the destination, as shown in Figure 32 on page 1252. This means
Chapter 56: Interfaces—Overview
1251
Advertisement
Chapters
Table of Contents
Troubleshooting
