Understanding Unicast RPF
Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source
address of each packet that arrives on an ingress interface where unicast RPF is enabled.
It also helps ensure that traffic arriving on ingress interfaces comes from a network source
that the receiving interface can reach.
When you enable unicast RPF, the switch forwards a packet only if the receiving interface
is the best return path to the packet's unicast source address. This is known as strict
mode unicast RPF.
NOTE: On Juniper Networks EX3200, EX4200, and EX4300 Ethernet
Switches, the switch applies unicast RPF globally to all interfaces when
unicast RPF is configured on any interface. For additional information, see
“Limitations of the Unicast RPF Implementation on EX3200, EX4200, and
EX4300 Switches” on page 22.
This topic covers:
•
Unicast RPF for Switches Overview on page 19
•
Unicast RPF Implementation on page 20
•
When to Enable Unicast RPF on page 20
•
When Not to Enable Unicast RPF on page 21
•
Limitations of the Unicast RPF Implementation on EX3200, EX4200, and EX4300
Switches on page 22
Unicast RPF for Switches Overview
Unicast RPF functions as an ingress filter that reduces the forwarding of IP packets that
might be spoofing an address. By default, unicast RPF is disabled on the switch interfaces.
The type of unicast RPF provided on the switches—that is, strict mode unicast RPF is
especially useful on untrusted interfaces. An untrusted interface is an interface where
untrusted users or processes can place packets on the network segment.
The switch supports only the active paths method of determining the best return path
back to a unicast source address. The active paths method looks up the best reverse
path entry in the forwarding table. It does not consider alternate routes specified using
routing-protocol-specific methods when determining the best return path.
If the forwarding table lists the receiving interface as the interface to use to forward the
packet back to its unicast source, it is the best return path interface.
Use strict mode unicast RPF only on symmetrically routed interfaces. (For information
about symmetrically routed interfaces, see “When to Enable Unicast RPF” on page 20.)
19Copyright © 2015, Juniper Networks, Inc.
Chapter 1: Interfaces Overview
To Next Page
Loading...
Need help?
General
Weight and Dimensions
