Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ip-tunnel-rpf-check

Syntax

Hierarchy Level

Description

Configure the system to enable anti-spoofing protection for next-hop-based dynamic tunnels, where reverse path forwarding checks are placed to ensure that the tunnel traffic is received from a legitimate source through designated IP tunnel, where the source is reachable on the same tunnel on which the packet was received.

When a packet comes from a nondesignated source, the reverse path forwarding check fails in the strict mode, and passes in the loose mode. When a packet comes from a nonexistent source, the reverse path forwarding check fails.

By default, the reverse path forwarding check is in strict mode, where the packets are not forwarded if the source of the packet is from a nondesignated tunnel.

Options

mode (strict | loose)

(Optional) Specify the mode of the reverse path forwarding check to enable anti-spoofing protection for next-hop-based dynamic tunnels.

In the strict mode (default), the reverse path forwarding check fails when the packet is received from a nondesignated tunnel source. The check passes only for packets from designated tunnels.

In the loose mode, the reverse path forwarding check passes even if the packet is received from a nondesignated tunnel source.

When the packet is from a nonexistent tunnel source, the reverse path forwarding check fails in both the strict and loose modes.

  • Default: If you omit the mode statement, the default behavior is strict mode.

fail-filter filter-name

(Optional) Attach a filter to the Layer 3 VPN to log packets that failed the reverse path forwarding check.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 17.1.