[j-nsp] QFX 5100 uRPF
Hugo Slabbert
hugo at slabnet.com
Wed Mar 8 13:48:48 EST 2017
On Wed 2017-Mar-08 12:38:52 -0500, Brian Rak <brak at gameservers.com> wrote:
>Is anyone successfully using rpf-check on QFX5100's?
>
>I'm getting some really weird behavior.. If I enable uRPF, then
>disable it again, the device still appears to continue to enforce it.
>(Spoofed packets continue to be blocked). I have to restart the
>device in order to fully remove RPF.
>
>Also, whenever I enable rpf-check, a whole bunch of legitimate
>traffic starts getting dropped. My guess is that this is related to
>the device having redundant uplinks, and an ECMP default route. I
>can't really confirm this though, since RPF troubleshooting seems
>non-existent.
Mixing redundant / asymmetric paths and uRPF needs to be done carefully.
Are you doing strict or loose RPF? What legitimate traffic is being
dropped (e.g. specific types/classes of traffic or seemingly random)? Do
you have an exception filter defined to log/catch/exclude certain traffic?
E.g. on SRX used as CPE we needed to define an exception filter so that
DHCP discover packets don't get dropped.
>Is attempting to use RPF here a mistake? I'd really prefer not to
>have to implement per-port ACLs. We're on 16.1 currently, I'll
>probably try upgrading once JTAC fixes my account.
--
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20170308/380f41be/attachment.sig>
More information about the juniper-nsp
mailing list