Figure 3: Symmetrically Routed Interfaces
Enabling unicast RPF on asymmetrically routed interfaces (where different interfaces
receive a packet and reply to its source) results in packets from legitimate sources being
filtered (discarded) because the best return path is not the same interface that received
the packet.
The following switch interfaces are most likely to be symmetrically routed and thus are
candidates for unicast RPF enabling:
•
The service provider edge to a customer
•
The customer edge to a service provider
•
A single access point out of the network (usually on the network perimeter)
•
A terminal network that has only one link
NOTE: Because unicast RPF is enabled globally on EX3200, EX4200, and
EX4300 switches, ensure that all interfaces are symmetrically routed before
you enable unicast RPF on these switches. Enabling unicast RPF on
asymmetrically routed interfaces results in packets from legitimate sources
being filtered.
TIP: Enabling unicast RPF as close as possible to the traffic source stops
spoofed traffic before it can proliferate or reach interfaces that do not have
unicast RPF enabled.
When Not to Enable Unicast RPF
Typically, you will not enable unicast RPF if:
•
Switch interfaces are multihomed.
•
Switch interfaces are trusted interfaces.
•
BGP is carrying prefixes and some of those prefixes are not advertised or are not
accepted by the ISP under its policy. (The effect in this case is the same as filtering an
interface by using an incomplete access list.)
•
Switch interfaces face the network core. Core-facing interfaces are usually
asymmetrically routed.
An asymmetrically routed interface uses different paths to send and receive packets
between the source and the destination, as shown in Figure 4 on page 22. This means
21Copyright © 2015, Juniper Networks, Inc.
Chapter 1: Interfaces Overview
To Next Page
Loading...
Need help?
General
Weight and Dimensions
