[j-nsp] Unicast RPF
Jesper Skriver
jesper at skriver.dk
Thu Jan 9 17:23:46 EST 2003
On Thu, Jan 09, 2003 at 06:02:10PM +0200, Pekka Savola wrote:
> On Thu, 9 Jan 2003, Jesper Skriver wrote:
> > On Thu, Jan 09, 2003 at 03:34:17PM +0000, Rob Walton wrote:
> >
> > > Hi all,
> > >
> > > At present i am currently looking into implementing uRPF within
> > > or network ('GEANT'), as such we would like to roll the feature out
> > > first in a non-traffic effecting role so that we can observe the
> > > implications it would have on the router and production traffic. Our
> > > intention is to set the policy so that we accept and log all traffic
> > > that fails the check so that we can work on negating legitimate
> > > traffic that is taking an asymmetric path. Is it possible to log
> > > the flows of traffic that fail the check rather than each packet
> > > individually?
> >
> > Not to my knowledge, but that's trivial to get from the logged
> > information.
> >
> > > Any ideas or information would be greatly appreciated.
> >
> > intefaces {
> > foo {
> > unit 0 {
> > family inet {
> > rpf-check fail-filter allow-and-log;
> > }
> > }
> > }
> > }
>
> You forgot the stetement:
>
> routing-options {
> forwarding-table {
> unicast-reverse-path active-paths;
> }
> }
>
> (or 'feasible-paths'), I think ?
That is the equivalent of
interfaces {
foo {
unit 0 {
family inet {
rpf-check fail-filter allow-and-log;
mode [ loose | strict ];
}
}
}
}
strict is the default an equivalent with your version using
active-paths, loose mode is your version with feasible-paths
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Senior network engineer @ AS3292, TDC
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
More information about the juniper-nsp
mailing list