Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Understanding Unicast Reverse Path Forwarding
Unicast reverse path forwarding protects the switch against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by comparing the source address of a received unicast packet against the switch’s routing table to see if the source address is valid or spoofed (faked). Reverse path forwarding (RPF) works in two modes:
- Strict mode: In this mode, the switch checks to see if a packet is received on the interface that the switch would use if it were sending a packet to the incoming packet’s source address. If the packet fails this test, the switch discards it.
- Loose mode: In this mode, the switch checks to see if the incoming packet’s source address is in the switch’s routing table, but the switch does not verify whether it would use the ingress interface to send a packet to the incoming packet’s source address. If the source address is in the routing table, the switch accepts the packet and forwards it as required.
To configure unicast reverse path forwarding, issue the rpf-check statement at the [edit interfaces unit family] hierarchy level.
