Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Unicast RPF (On a Switch)

 

This example shows how to help defend ingress interfaces against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by configuring unicast RPF to filter incoming traffic.

Requirements

This example uses two EX8200 switches. On EX3200 and EX4200 switches, you cannot configure individual interfaces for unicast RPF – the switch applies unicast RPF globally to all interfaces on the switch.

  • Junos OS Release 10.1 or later for EX Series switches

  • Two EX8200 switches

Before you begin, be sure you have:

  • Connected the two switches by symmetrically routed interfaces.

  • Ensured that the interface on which you will configure unicast RPF is symmetrically routed.

  • On an EX8200, EX6200, QFX Series switch, or OCX Series switch, ensure that the selected switch interface is symmetrically routed before you enable unicast RPF. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. Do not enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination.

  • On an EX3200, EX4200, or EX4300 switch, ensure that all switch interfaces are symmetrically routed before you enable unicast RPF on an interface. When you enable unicast RPF on any interface, it is enabled globally on all switch interfaces. Do not enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination.

Overview and Topology

In this example, an enterprise network's system administrator wants to protect Switch A against potential DoS and DDoS attacks from the Internet. The administrator configures unicast RPF on interface ge-1/0/10 on Switch A. Packets arriving on interface ge-1/0/10 on Switch A from the Switch B source also use incoming interface ge-1/0/10 as the best return path to send packets back to the source.

The topology of this configuration example uses two EX8200 switches, Switch A and Switch B, connected by symmetrically routed interfaces:

  • Switch A is on the edge of an enterprise network. The interface ge-1/0/10 on Switch A connects to the interface ge-1/0/5 on Switch B.

  • Switch B is on the edge of the service provider network that connects the enterprise network to the Internet.

Configuration

To enable unicast RPF, perform these tasks:

CLI Quick Configuration

To quickly configure unicast RPF on Switch A, copy the following command and paste it into the switch terminal window:

[edit interfaces]
set ge-1/0/10 unit 0 family inet rpf-check

Step-by-Step Procedure

To configure unicast RPF on Switch A:

  1. Enable unicast RPF on interface ge-1/0/10:
    [edit interfaces]

    user@switch# set ge-1/0/10 unit 0 family inet rpf-check

Results

Check the results:

Disabling Unicast RPF

Step-by-Step Procedure

Verification

Unicast reverse-path forwarding (RPF) can help protect your LAN from denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on untrusted interfaces. Unicast RPF filters traffic with source addresses that do not use the incoming interface as the best return path back to the source. If the network configuration changes so that an interface that has unicast RPF enabled becomes a trusted interface or becomes asymmetrically routed (the interface that receives a packet is not the best return path to the packet’s source), disable unicast RPF.

To disable unicast RPF on an EX3200, EX4200, or EX4300 switch, you must delete it from every interface on which you explicitly configured it. If you do not disable unicast RPF on every interface on which you explicitly enabled it, it remains implicitly enabled on all interfaces. If you attempt to delete unicast RPF from an interface on which it was not explicitly enabled, the warning: statement not found message appears. If you do not disable unicast RPF on every interface on which you explicitly enabled it, unicast RPF remains implicitly enabled on all interfaces of the EX3200, EX4200, or EX4300 switch.

On EX8200, EX6200, QFX Series switches, and OCX Series switches, the switch does not apply unicast RPF to an interface unless you explicitly enable that interface for unicast RPF.

To disable unicast RPF, delete its configuration from the interface:

[edit interfaces]

user@switch# delete ge-1/0/10 unit 0 family inet rpf-check

Verifying That Unicast RPF Is Enabled on the Switch

Purpose

Verify that unicast RPF is enabled and working on the interface.

Action

Use one of the show interfaces interface-name commands with either the extensive or detail options to verify that unicast RPF is enabled and working on the switch. The example below displays output from the show interfaces ge- extensive command.

user@switch> show show interfaces ge-1/0/10 extensive

Meaning

The show interfaces ge-1/0/10 extensive command (and the show interfaces ge-1/0/10 detail command) displays in-depth information about the interface. The Flags: output field near the bottom of the display reports the unicast RPF status. If unicast RPF has not been enabled, the uRPF flag is not displayed.

On EX3200 and EX4200 switches, unicast RPF is implicitly enabled on all switch interfaces, including aggregated Ethernet interfaces (also referred to as link aggregation groups or LAGs) and routed VLAN interfaces (RVIs) when you enable unicast RPF on a single interface. However, the unicast RPF status is shown as enabled only on interfaces for which you have explicitly configured unicast RPF. Thus, the uRPF flag is not displayed on interfaces for which you have not explicitly configured unicast RPF even though unicast RPF is implicitly enabled on all interfaces on EX3200 and EX4200 switches.

Troubleshooting Unicast RPF

Legitimate Packets Are Discarded

Problem

The switch filters valid packets from legitimate sources, which results in the switch's discarding packets that should be forwarded.

Solution

The interface or interfaces on which legitimate packets are discarded are asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination, so the interface that receives a packet is not the same interface the switch uses to reply to the packet's source.

Unicast RPF works properly only on symmetrically routed interfaces. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. Unicast RPF filters packets by checking the forwarding table for the best return path to the source of an incoming packet. If the best return path uses the same interface as the interface that received the packet, the switch forwards the packet. If the best return path uses a different interface than the interface that received the packet, the switch discards the packet.

Note

On EX3200, EX4200, and EX4300 switches, unicast RPF works properly only if all switch interfaces—including aggregated Ethernet interfaces (also referred to as link aggregation groups or LAGs), integrated routing and bridging (IRB) interfaces, and routed VLAN interfaces (RVIs)—are symmetrically routed, because unicast RPF is enabled globally on all switch interfaces.