[j-nsp] QFX 5100 uRPF
Brian Rak
brak at gameservers.com
Wed Mar 8 12:38:52 EST 2017
Is anyone successfully using rpf-check on QFX5100's?
I'm getting some really weird behavior.. If I enable uRPF, then disable
it again, the device still appears to continue to enforce it. (Spoofed
packets continue to be blocked). I have to restart the device in order
to fully remove RPF.
Also, whenever I enable rpf-check, a whole bunch of legitimate traffic
starts getting dropped. My guess is that this is related to the device
having redundant uplinks, and an ECMP default route. I can't really
confirm this though, since RPF troubleshooting seems non-existent.
Is attempting to use RPF here a mistake? I'd really prefer not to have
to implement per-port ACLs. We're on 16.1 currently, I'll probably try
upgrading once JTAC fixes my account.
More information about the juniper-nsp
mailing list