 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
In strict mode, unicast RPF checks whether the incoming packet has a source address that matches a prefix in the routing table, and whether the interface expects to receive a packet with this source address prefix.
If the incoming packet fails the unicast RPF check, the packet is not accepted on the interface. When a packet is not accepted on an interface, unicast RPF counts the packet and sends it to an optional fail filter. If the fail filter is not configured, the default action is to silently discard the packet.
The optional fail filter allows you to apply a filter to packets that fail the unicast RPF check. You can define the fail filter to perform any filter operation, including accepting, rejecting, logging, sampling, or policing.
When unicast RPF is enabled on an interface, Bootstrap Protocol (BOOTP) packets and Dynamic Host Configuration Protocol (DHCP) packets are not accepted on the interface. To allow the interface to accept BOOTP packets and DHCP packets, you must apply a fail filter that accepts all packets with a source address of 0.0.0.0 and a destination address of 255.255.255.255. For a configuration example, see Example: Configuring Unicast RPF.
For more information about unicast RPF, see the JUNOS Routing Protocols Configuration Guide. For more information about defining fail filters, see the JUNOS Policy Framework Configuration Guide.
To configure unicast RPF, include the rpf-check statement:
-
rpf-check <fail-filter filter-name>;
You can include this statement at the following hierarchy levels:
Using unicast RPF can have several consequences when implemented with traffic filters:
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |