When Not To Enable Unicast Rpf; Figure 3: Symmetrically Routed Interfaces - Juniper EX2200 Hardware Manual

When Not to Enable Unicast RPF

Copyright © 2015, Juniper Networks, Inc.

Figure 3: Symmetrically Routed Interfaces

Enabling unicast RPF on asymmetrically routed interfaces (where different interfaces
receive a packet and reply to its source) results in packets from legitimate sources being
filtered (discarded) because the best return path is not the same interface that received
the packet.
The following switch interfaces are most likely to be symmetrically routed and thus are
candidates for unicast RPF enabling:
The service provider edge to a customer
The customer edge to a service provider
A single access point out of the network (usually on the network perimeter)
A terminal network that has only one link
NOTE: Because unicast RPF is enabled globally on EX3200, EX4200, and
EX4300 switches, ensure that all interfaces are symmetrically routed before
you enable unicast RPF on these switches. Enabling unicast RPF on
asymmetrically routed interfaces results in packets from legitimate sources
being filtered.
TIP: Enabling unicast RPF as close as possible to the traffic source stops
spoofed traffic before it can proliferate or reach interfaces that do not have
unicast RPF enabled.
Typically, you will not enable unicast RPF if:
Switch interfaces are multihomed.
Switch interfaces are trusted interfaces.
BGP is carrying prefixes and some of those prefixes are not advertised or are not
accepted by the ISP under its policy. (The effect in this case is the same as filtering an
interface by using an incomplete access list.)
Switch interfaces face the network core. Core-facing interfaces are usually
asymmetrically routed.
An asymmetrically routed interface uses different paths to send and receive packets
between the source and the destination, as shown in
Chapter 1: Interfaces Overview
Figure 4 on page 22. This means
21