[j-nsp] default uRPF strict on irb interface accepts DHCP?

Jason Lixfeld jason-jnsp at lixfeld.ca
Wed Jul 6 11:56:57 EDT 2016 

Hi,

I’m trying to understand some counterintuitive behaviour I’m seeing with uRPF strict and DHCP on a EX9200/14.2R4.9

According to the documentation[1], uRPF will not, by default, permit DHCP or BOOTP, however the actual behaviour seems to be inconsistent with the documentation:

set interfaces ge-0/2/2 speed 1g
set interfaces ge-0/2/2 hold-time up 10000
set interfaces ge-0/2/2 hold-time down 0
set interfaces ge-0/2/2 ether-options auto-negotiation
set interfaces ge-0/2/2 ether-options no-flow-control
set interfaces ge-0/2/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/2/2 unit 0 family ethernet-switching vlan members DHCP-TEST
set interfaces ge-0/2/2 unit 0 family ethernet-switching storm-control DEFAULT
set interfaces ge-0/2/2 unit 0 family ethernet-switching recovery-timeout 60
set vlans DHCP-TEST vlan-id 1000
set vlans DHCP-TEST l3-interface irb.1000
set vlans DHCP-TEST forwarding-options dhcp-security arp-inspection
set vlans DHCP-TEST forwarding-options dhcp-security ip-source-guard
set interfaces irb unit 1000 family inet rpf-check
set interfaces irb unit 1000 family inet address 69.69.69.1/24
set routing-instances INET instance-type vrf
set routing-instances INET system services dhcp-local-server group DHCP-TEST interface irb.1000
set routing-instances INET access address-assignment pool DHCP-TEST family inet network 69.69.69.0/24
set routing-instances INET access address-assignment pool DHCP-TEST family inet range DHCP-TEST low 69.69.69.2
set routing-instances INET access address-assignment pool DHCP-TEST family inet range DHCP-TEST high 69.69.69.254
set routing-instances INET access address-assignment pool DHCP-TEST family inet dhcp-attributes name-server 66.207.192.6
set routing-instances INET access address-assignment pool DHCP-TEST family inet dhcp-attributes name-server 206.223.173.7
set routing-instances INET access address-assignment pool DHCP-TEST family inet dhcp-attributes router 69.69.69.1
set routing-instances INET interface irb.1000
set routing-instances INET route-distinguisher 21949:4
set routing-instances INET vrf-target target:21949:4

ario at lab01.juniper# run show dhcp server binding routing-instance INET

[edit]
ario at lab01.juniper# run show arp vpn INET

[edit]
ario at lab01.juniper#

After I run dhclient on my Linux box, I’m served a lease with no issues at all:

ario at lab01.juniper# run show dhcp server binding routing-instance INET

IP address        Session Id  Hardware address   Expires     State      Interface
69.69.69.5        15          00:0c:bd:08:80:9d  86370       BOUND      irb.1000

[edit]
ario at lab01.juniper# run show interfaces irb.1000 extensive | match RPF
      Flags: Sendbcast-pkt-to-re, uRPF
      RPF Failures: Packets: 0, Bytes: 0

[edit]
ario at lab01.juniper# run show arp vpn INET
MAC Address       Address         Name                      Interface               Flags
00:0c:bd:08:80:9d 69.69.69.5      nj-69-69-69-5.sta.embarqh irb.1000 [ge-0/2/2.0]   none

[edit]
ario at lab01.juniper#

While I don’t see any specific reference in the docs to differences in behaviour using irb interfaces, is it possible there are in fact differences and I just haven’t found the correct docs that outline what they are?  Or is there something else that I’m missing?

[1]http://www.juniper.net/documentation/en_US/junos14.2/topics/usage-guidelines/interfaces-configuring-unicast-rpf.html

Thanks in advance!

More information about the juniper-nsp mailing list