[j-nsp] QFX 5100 uRPF

Hugo Slabbert hugo at slabnet.com
Wed Mar 8 13:48:48 EST 2017


On Wed 2017-Mar-08 12:38:52 -0500, Brian Rak <brak at gameservers.com> wrote:

>Is anyone successfully using rpf-check on QFX5100's?
>
>I'm getting some really weird behavior.. If I enable uRPF, then 
>disable it again, the device still appears to continue to enforce it. 
>(Spoofed packets continue to be blocked).  I have to restart the 
>device in order to fully remove RPF.
>
>Also, whenever I enable rpf-check, a whole bunch of legitimate 
>traffic starts getting dropped.  My guess is that this is related to 
>the device having redundant uplinks, and an ECMP default route.  I 
>can't really confirm this though, since RPF troubleshooting seems 
>non-existent.

Mixing redundant / asymmetric paths and uRPF needs to be done carefully.  
Are you doing strict or loose RPF?  What legitimate traffic is being 
dropped (e.g. specific types/classes of traffic or seemingly random)?  Do 
you have an exception filter defined to log/catch/exclude certain traffic?  
E.g. on SRX used as CPE we needed to define an exception filter so that 
DHCP discover packets don't get dropped.

>Is attempting to use RPF here a mistake?  I'd really prefer not to 
>have to implement per-port ACLs.  We're on 16.1 currently, I'll 
>probably try upgrading once JTAC fixes my account.

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20170308/380f41be/attachment.sig>


More information about the juniper-nsp mailing list