ON THIS PAGE
Configure Reverse Path Forwarding on Virtual Interfaces
Overview
Unicast reverse-path-forwarding (RPF) verifies that a packet is sent from a valid source address by performing an RPF check. RPF check is a validation tool that uses the IP routing table to verify whether the source IP address of an incoming packet is arriving from a valid path. RPF helps reduce forwarding of IP packets that might be spoofing an IP address.
When a packet arrives on an interface, RPF performs a forwarding table lookup on the packet's source IP address and checks the incoming interface. The incoming interface must match the interface on which the packet arrived. If the interface does not match, the vRouter drops the packet. If the packet is from a valid path, the vRouter forwards the packet to the destination address.
You can enable or disable source RPF on a per-virtual network basis. By default, RPF is disabled.
-
RPF enable
Whenever a packet reaches the interface, RPF performs a check on the packet's source IP address. All packets are dropped if the route is not learned by the vRouter. Only packets received from the MAC/IP address allocated to the workload are permitted on an interface.
-
RPF disable
Packets from any source are accepted on the interface. A forwarding table lookup is not performed on the incoming packet source IP address.
Enable RPF on a Virtual Interface
Here is an example of a Namespace YAML file you use to configure RPF on a virtual
interface. To enable RPF, set the rpf
variable under
virtualNetworkProperties
to enable
.
apiVersion: v1 kind: Namespace metadata: name: rpf-ns --- apiVersion: core.contrail.juniper.net/v1alpha1 kind: Subnet metadata: namespace: rpf-ns name: rpf-subnet-1 annotations: core.juniper.net/display-name: Sample Subnet core.juniper.net/description: Subnet represents a block of IP addresses and its configuration. IPAM allocates and releases IP address from that block on demand. It can be used by different VirtualNetwork in the mean time. spec: cidr: "172.20.10.0/24" --- apiVersion: core.contrail.juniper.net/v1alpha1 kind: VirtualNetwork metadata: namespace: rpf-ns name: rpf-vn-1 annotations: core.juniper.net/display-name: Sample Virtual Network core.juniper.net/description: VirtualNetwork is a collection of end points (interface or ip(s) or MAC(s)) that can communicate with each other by default. It is a collection of subnets whose default gateways are connected by an implicit router spec: v4SubnetReference: apiVersion: core.contrail.juniper.net/v1alpha1 kind: Subnet namespace: rpf-ns name: rpf-subnet-1 fabricSNAT: true virtualNetworkProperties: rpf: enable