•
uRPF implementation in ACX does not consider all feasible paths for reverse path
verification and only active path based verification is supported.
•
uRPF failure packets statistics are not supported in ACX.
•
You can use either the show interfaces extensive command or the show interfaces detail
command to verify that unicast RPF is enabled and working on the interface. In the
Flags section of the output, if unicast reverse-path forwarding (RPF) is explicitly
configured on the specified interface, the uRPF flag is displayed. If unicast RPF was
configured on a different interface (and therefore is enabled on all switch interfaces)
but was not explicitly configured on the specified interface, the uRPF flag is not
displayed even though unicast RPF is enabled.
•
The uRPF detail in the Flags section of the output of the show interfaces (detail |
extensive) commands is displayed only for logical interfaces on which uRPF is
configured. Otherwise, this information is not shown.
Related
Documentation
•
Configuring Unicast RPF on ACX Series Routers
IP spoofing can occur during a denial-of-service (DoS) attack. IP spoofing allows an
intruder to pass IP packets to a destination as genuine traffic, when in fact the packets
are not actually meant for the destination. This type of spoofing is harmful because it
consumes the destination’s resources.
A unicast reverse-path-forwarding (RPF) check is a tool to reduce forwarding of IP packets
that might be spoofing an address. A unicast RPF check performs a route table lookup
on an IP packet’s source address, and checks the incoming interface. The router or switch
determines whether the packet is arriving from a path that the sender would use to reach
the destination. If the packet is from a valid path, the router or switch forwards the packet
to the destination address. If it is not from a valid path, the router or switch discards the
packet. Unicast RPF is supported for the IPv4 and IPv6 protocol families, as well as for
the virtual private network (VPN) address family.
NOTE: If you want to configure unicast RPF, your router must be equipped
with the Internet Processor II application-specific integrated circuit (ASIC).
If you enable unicast RPF on live traffic, some packets are dropped while the
packet forwarding components are updating.
For transit packets exiting the router through the tunnel, forwarding path
features, such as RPF, forwarding table filtering, source class usage, and
destination class usage are not supported on the interfaces you configure as
the output interface for tunnel traffic. For firewall filtering, you must allow
the output tunnel packets through the firewall filter applied to input traffic
on the interface that is the next-hop interface towards the tunnel destination.
Copyright © 2017, Juniper Networks, Inc.804
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
