[j-nsp] Unicast RPF
Pekka Savola
pekkas at netcore.fi
Thu Jan 9 18:02:10 EST 2003
On Thu, 9 Jan 2003, Jesper Skriver wrote:
> On Thu, Jan 09, 2003 at 03:34:17PM +0000, Rob Walton wrote:
>
> > Hi all,
> >
> > At present i am currently looking into implementing uRPF within
> > or network ('GEANT'), as such we would like to roll the feature out
> > first in a non-traffic effecting role so that we can observe the
> > implications it would have on the router and production traffic. Our
> > intention is to set the policy so that we accept and log all traffic
> > that fails the check so that we can work on negating legitimate
> > traffic that is taking an asymmetric path. Is it possible to log
> > the flows of traffic that fail the check rather than each packet
> > individually?
>
> Not to my knowledge, but that's trivial to get from the logged
> information.
>
> > Any ideas or information would be greatly appreciated.
>
> intefaces {
> foo {
> unit 0 {
> family inet {
> rpf-check fail-filter allow-and-log;
> }
> }
> }
> }
You forgot the stetement:
routing-options {
forwarding-table {
unicast-reverse-path active-paths;
}
}
(or 'feasible-paths'), I think ?
> firewall {
> family inet {
> filter allow-and-log {
> term allow-and-log {
> then {
> log;
> accept;
> }
> }
> }
> }
> }
>
> /Jesper
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the juniper-nsp
mailing list