Configure Unicast RPF Strict Mode

In strict mode, unicast RPF checks whether the incoming packet has a source address that matches a prefix in the routing table, and whether the interface expects to receive a packet with this source address prefix.

If the incoming packet fails the unicast RPF check, the packet is not accepted on the interface. When a packet is not accepted on an interface, unicast RPF counts the packet and sends it to an optional fail filter.

The optional fail filter allows you to apply a filter to packets that fail the unicast RPF check. You can define the fail filter to perform any filter operation, including accepting, rejecting, logging, sampling, or policing.

When unicast RPF is enabled on an interface, Bootstrap Protocol (BOOTP) packets and Dynamic Host Configuration Protocol (DHCP) packets are not accepted on the interface. To allow the interface to accept BOOTP packets and DHCP packets, you must apply a fail filter that accepts all packets with a source address of 0.0.0.0 and a destination address of 255.255.255.255. For a configuration example, see Example: Configure Unicast RPF.

For more information about defining fail filters, see the JUNOS Internet Software Configuration Guide: Policy Framework.

To configure unicast RPF, include the rpf-check statement:

rpf-check <fail-filter filter-name>;

You can configure this statement at the following hierarchy levels:

• [edit interfaces interface-name unit logical-unit-number family (inet | inet6)]
• [edit logical-routers logical-router-name interfaces interface-name unit logical-unit-number family (inet | inet6)]

Using unicast RPF can have several consequences when implemented with traffic filters:

• RPF fail filters are evaluated after input filters and before output filters.
• If you configure a filter counter for packets dropped by an input filter, and you want to know the total number of packets dropped, you must also configure a filter counter for packets dropped by the RPF check.
• To count packets that fail the RPF check and are accepted by the RPF fail filter, you must configure a filter counter.
• If an input filter forwards packets anywhere other than the inet.0 or inet6.0 routing tables, the unicast RPF check is not performed.
• If an input filter forwards packets anywhere other than the routing instance the input interface is configured for, the unicast RPF check is not performed.