Understanding Unicast RPF for EX Series Switches
Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source
address of each packet that arrives on an ingress interface where unicast RPF is enabled.
It also helps ensure that traffic arriving on ingress interfaces comes from a network source
that the receiving interface can reach.
When you enable unicast RPF, the switch forwards a packet only if the receiving interface
is the best return path to the packet's unicast source address. This is known as strict
mode unicast RPF.
NOTE:
On Juniper Networks EX3200 and EX4200 Ethernet Switches, the
switch applies unicast RPF globally to all interfaces when unicast RPF is
configured on any interface. For additional information, see “Limitations of
the Unicast RPF Implementation on EX3200 and EX4200 Switches” on
page 1108.
This topic covers:
•
Unicast RPF for EX Series Switches Overview on page 1105
•
Unicast RPF Implementation for EX Series Switches on page 1106
•
When to Enable Unicast RPF on page 1106
•
When Not to Enable Unicast RPF on page 1107
•
Limitations of the Unicast RPF Implementation on EX3200 and EX4200
Switches on page 1108
Unicast RPF for EX Series Switches Overview
Unicast RPF functions as an ingress filter that reduces the forwarding of IP packets that
might be spoofing an address. By default, unicast RPF is disabled on the switch interfaces.
The type of unicast RPF provided on the switches—that is, strict mode unicast RPF is
especially useful on untrusted interfaces. An untrusted interface is an interface where
untrusted users or processes can place packets on the network segment.
The switch supports only the active paths method of determining the best return path
back to a unicast source address. The active paths method looks up the best reverse
path entry in the forwarding table. It does not consider alternate routes specified using
routing-protocol-specific methods when determining the best return path.
If the forwarding table lists the receiving interface as the interface to use to forward the
packet back to its unicast source, it is the best return path interface. Strict mode unicast
RPF recognizes only one best return path to a unicast source address.
Use strict mode unicast RPF only on symmetrically routed interfaces. (For information
about symmetrically routed interfaces, see “When to Enable Unicast RPF” on page 1106.)
1105
Copyright © 2010, Juniper Networks, Inc.
Chapter 50: Interfaces—Overview
Summary of Contents for JUNOS OS 10.3 - SOFTWARE
Page 325: ...CHAPTER 17 Operational Mode Commands for System Setup 229 Copyright 2010 Juniper Networks Inc ...
Page 1323: ...CHAPTER 56 Operational Mode Commands for Interfaces 1227 Copyright 2010 Juniper Networks Inc ...
Page 2841: ...CHAPTER 86 Operational Commands for 802 1X 2745 Copyright 2010 Juniper Networks Inc ...
Page 3367: ...CHAPTER 113 Operational Mode Commands for CoS 3271 Copyright 2010 Juniper Networks Inc ...
Page 3435: ...CHAPTER 120 Operational Mode Commands for PoE 3339 Copyright 2010 Juniper Networks Inc ...
Page 3529: ...CHAPTER 126 Operational Mode Commands for MPLS 3433 Copyright 2010 Juniper Networks Inc ...