[j-nsp] Question about loose-mode RPF
Pedro Roque Marques
roque at juniper.net
Wed Oct 19 13:12:12 EDT 2005
Chris Adams wrote:
> We recently replaced a couple of our core Cisco routers with a Juniper,
> and I'm still working out a few things that are different.
>
> One thing I've noticed is that loose-mode RPF doesn't discount discard
> routes. On our Ciscos, routing something to Null0 means that loose uRPF
> drops traffic from that block. The Juniper doesn't appear to do that
> for discard routes.
>
> The Cisco behavior is useful for us; when we get a "problem" IP (such as
> an SSH scanner), we can null route the IP and the inbound traffic is
> dropped as well. I had been planning on setting up an internal dynamic
> blocking server (using BGP to propagate routes for bad IPs with a
> community to null-route the routes).
>
> Is there a way to get similar behavior on a Juniper?
>
Several ways... as it is been discussed in another thread yesterday.
You can use SCU to tag a route, instead of rellying on the Null0
next-hop. This will give you the equivalent behaviour to what you get on
the cisco.
i.e.
1. rpf-check will accept all routes in table and apply SCU.
2. [forwarding-options family inet filter input <x>] can
drop/redirect/mangle traffic flows that where tagged w/ a given source
class.
If you have a more specific finger print of the traffic you want special
processing for you can use the "family inet flow" functionality in 7.3.
Pedro.
More information about the juniper-nsp
mailing list