Example: Configuring Unicast RPF (On a Switch)
This example shows how to help defend ingress interfaces against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by configuring unicast RPF (uRPF) to filter incoming traffic.
Requirements
This example uses two EX switches, referred to in this topic as Switch A and Switch B. Certain EX switch models allow you to configure uRPF on individual interfaces. Whereas on certain EX switch models you cannot configure individual interfaces for uRPF – the switch applies uRPF globally to all interfaces on the switch.
-
Any Junos OS release for EX switches but not earlier than Junos OS Release 10.1
-
Two EX switches that support uRPF configuration on individual interfaces.
Before you begin, ensure you have:
-
Connected the two switches by symmetrically routed interfaces.
-
Ensured that the interface on which you will configure unicast RPF is symmetrically routed. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. Do not enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination.
-
In this example, if you are using EX switches that apply uRPF globally to all interfaces, then ensure that all switch interfaces are symmetrically routed before you enable unicast RPF on an interface. When you enable unicast RPF on any interface, it is enabled globally on all switch interfaces. Do not enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination.
Overview and Topology
In this example, an enterprise network's system administrator wants to protect Switch A against potential DoS and DDoS attacks from the Internet. The administrator configures unicast RPF on interface xe-0/0/4 on Switch A. Packets arriving on interface xe-0/0/4 on Switch A from the Switch B source also use incoming interface xe-0/0/4 as the best return path to send packets back to the source. In this topology, Switch A and Switch B are both connected by symmetrically routed interfaces.
-
Switch A is on the edge of an enterprise network. The interface xe-0/0/4 on Switch A connects to the interface xe-0/0/5 on Switch B.
-
Switch B is on the edge of the service provider network that connects the enterprise network to the Internet.
Topology
Configuration
To enable unicast RPF, perform these tasks:
Procedure
CLI Quick Configuration
To quickly configure unicast RPF on Switch A, copy the following command and paste it into the switch terminal window:
[edit interfaces] set xe-0/0/4 unit 0 family inet rpf-check
Step-by-Step Procedure
To configure unicast RPF on Switch A:
-
Enable unicast RPF on interface xe-0/0/4:
[edit interfaces] user@switch# set xe-0/0/4 unit 0 family inet rpf-check
Results
Check the results:
[edit interfaces]
user@switch# show
xe-0/0/4 {
unit 0 {
family inet {
rpf-check;
}
}
}
Disabling Unicast RPF
Procedure
Step-by-Step Procedure
Verification
Unicast reverse-path forwarding (RPF) can help protect your LAN from denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on untrusted interfaces. Unicast RPF filters traffic with source addresses that do not use the incoming interface as the best return path back to the source. If the network configuration changes so that an interface that has unicast RPF enabled becomes a trusted interface or becomes asymmetrically routed (the interface that receives a packet is not the best return path to the packet’s source), disable unicast RPF.
To disable uRPF on EX switches that apply uRPF globally to all interfaces, you must
delete it from every interface on which you explicitly configured it. If you do not
disable unicast RPF on every interface on which you explicitly enabled it, it remains
implicitly enabled on all interfaces. If you attempt to delete unicast RPF from an
interface on which it was not explicitly enabled, the warning: statement not
found message appears. If you do not disable unicast RPF on every interface on
which you explicitly enabled it, unicast RPF remains implicitly enabled on all
interfaces.
On EX switch models that allow you to configure uRPF on individual interfaces, the switch does not apply unicast RPF to an interface unless you explicitly enable that interface for unicast RPF.
To disable unicast RPF, delete its configuration from the interface:
[edit interfaces]user@switch# delete xe-0/0/4 unit 0 family inet rpf-check
Verifying That Unicast RPF Is Enabled on the Switch
Purpose
Verify that unicast RPF is enabled and working on the interface.
Action
Use one of the show interfaces interface-name
commands with either the extensive or
detail options to verify that unicast RPF is enabled and
working on the switch. The example below displays output from the show
interfaces ge- extensive command.
user@switch> show interfaces xe-0/0/4.0 extensive
Physical interface: xe-0/0/4, Enabled, Physical link is Up
Interface index: 147, SNMP ifIndex: 659
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 10Gbps, BPDU Error: None, Loop Detect PDU Error: None, Ethernet-Switching Error: None,
MAC-REWRITE Error: None, Loopback: None, Source filtering: Disabled, Flow control: Enabled, Speed Configuration: Auto
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 84:c1:c1:7b:a8:04, Hardware address: 84:c1:c1:7b:a8:04
Last flapped : 2023-04-04 10:34:13 PDT (00:01:29 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
PCS statistics Seconds
Bit errors 2
Errored blocks 2
Link Degrade :
Link Monitoring : Disable
Interface transmit statistics: Disabled
Logical interface xe-0/0/4.0 (Index 335) (SNMP ifIndex 696)
Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
Input packets : 0
Output packets: 1
Protocol inet, MTU: 1500
Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
Flags: Sendbcast-pkt-to-re, uRPF
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.0.1/24, Local: 10.0.1.1, Broadcast: 10.0.1.255
Protocol multiservice, MTU: Unlimited
Flags: Is-Primary
Meaning
The show interfaces xe-0/0/4 extensive command (and the show
interfaces xe-0/0/4 detail command) displays in-depth information about the
interface. The Flags: output field near the bottom of the display
reports the unicast RPF status. If unicast RPF has not been enabled, the
uRPF flag is not displayed.
On EX switches that apply uRPF globally to all interfaces, uRPF is implicitly enabled on all switch interfaces, including aggregated Ethernet interfaces (also referred to as link aggregation groups or LAGs) and routed VLAN interfaces (RVIs) when you enable uRPF on a single interface. However, the uRPF status is shown as enabled only on interfaces for which you have explicitly configured uRPF. Thus, the uRPF flag is not displayed on interfaces for which you have not explicitly configured uRPF even though uRPF is implicitly enabled on all interfaces.
Troubleshooting Unicast RPF
Legitimate Packets Are Discarded
Problem
The switch filters valid packets from legitimate sources, which results in the switch's discarding packets that should be forwarded.
Solution
The interface or interfaces on which legitimate packets are discarded are asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination, so the interface that receives a packet is not the same interface the switch uses to reply to the packet's source.
Unicast RPF works properly only on symmetrically routed interfaces. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. Unicast RPF filters packets by checking the forwarding table for the best return path to the source of an incoming packet. If the best return path uses the same interface as the interface that received the packet, the switch forwards the packet. If the best return path uses a different interface than the interface that received the packet, the switch discards the packet.
On EX switches that apply uRPF globally to all interfaces, uRPF works properly only if all switch interfaces—including aggregated Ethernet interfaces (also referred to as link aggregation groups or LAGs), integrated routing and bridging (IRB) interfaces, and routed VLAN interfaces (RVIs)—are symmetrically routed, because unicast RPF is enabled globally on all switch interfaces.