[j-nsp] Unicast RPF
Jesper Skriver
jesper at skriver.dk
Thu Jan 9 16:57:55 EST 2003
On Thu, Jan 09, 2003 at 03:34:17PM +0000, Rob Walton wrote:
> Hi all,
>
> At present i am currently looking into implementing uRPF within
> or network ('GEANT'), as such we would like to roll the feature out
> first in a non-traffic effecting role so that we can observe the
> implications it would have on the router and production traffic. Our
> intention is to set the policy so that we accept and log all traffic
> that fails the check so that we can work on negating legitimate
> traffic that is taking an asymmetric path. Is it possible to log
> the flows of traffic that fail the check rather than each packet
> individually?
Not to my knowledge, but that's trivial to get from the logged
information.
> Any ideas or information would be greatly appreciated.
intefaces {
foo {
unit 0 {
family inet {
rpf-check fail-filter allow-and-log;
}
}
}
}
firewall {
family inet {
filter allow-and-log {
term allow-and-log {
then {
log;
accept;
}
}
}
}
}
/Jesper
More information about the juniper-nsp
mailing list