[j-nsp] Unicast RPF

Jesper Skriver jesper at skriver.dk
Thu Jan 9 17:23:46 EST 2003


On Thu, Jan 09, 2003 at 06:02:10PM +0200, Pekka Savola wrote:
> On Thu, 9 Jan 2003, Jesper Skriver wrote:
> > On Thu, Jan 09, 2003 at 03:34:17PM +0000, Rob Walton wrote:
> > 
> > > Hi all,
> > >
> > >       At present i am currently looking into implementing uRPF within
> > > or network ('GEANT'), as such we would like to roll the feature out
> > > first in a non-traffic effecting role so that we can observe the
> > > implications it would have on the router and production traffic. Our
> > > intention is to set the policy so that we accept and log all traffic
> > > that fails the check so that we can work on negating legitimate
> > > traffic that is taking an asymmetric path. Is it possible to log
> > > the flows of traffic that fail the check rather than each packet
> > > individually?
> > 
> > Not to my knowledge, but that's trivial to get from the logged
> > information.
> > 
> > > Any ideas or information would be greatly appreciated.
> > 
> > intefaces {
> >   foo {
> >     unit 0 {
> >       family inet {
> >         rpf-check fail-filter allow-and-log;
> >       }
> >     }
> >   }
> > }
> 
> You forgot the stetement:
> 
> routing-options {
>      forwarding-table {
>          unicast-reverse-path active-paths;
>      }
> }
> 
> (or 'feasible-paths'), I think ?

That is the equivalent of

interfaces {
  foo {
    unit 0 {
      family inet {
        rpf-check fail-filter allow-and-log;
        mode [ loose | strict ];
      }
    }
  }
}

strict is the default an equivalent with your version using
active-paths, loose mode is your version with feasible-paths

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Senior network engineer @ AS3292, TDC

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.


More information about the juniper-nsp mailing list