Hi,
I’m trying to understand some counterintuitive behaviour I’m seeing with uRPF
strict and DHCP on a EX9200/14.2R4.9
According to the documentation[1], uRPF will not, by default, permit DHCP or
BOOTP, however the actual behaviour seems to be inconsistent with the
documentation:
set interfaces ge-0/2/2 speed 1g
set interfaces ge-0/2/2 hold-time up 10000
set interfaces ge-0/2/2 hold-time down 0
set interfaces ge-0/2/2 ether-options auto-negotiation
set interfaces ge-0/2/2 ether-options no-flow-control
set interfaces ge-0/2/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/2/2 unit 0 family ethernet-switching vlan members DHCP-TEST
set interfaces ge-0/2/2 unit 0 family ethernet-switching storm-control DEFAULT
set interfaces ge-0/2/2 unit 0 family ethernet-switching recovery-timeout 60
set vlans DHCP-TEST vlan-id 1000
set vlans DHCP-TEST l3-interface irb.1000
set vlans DHCP-TEST forwarding-options dhcp-security arp-inspection
set vlans DHCP-TEST forwarding-options dhcp-security ip-source-guard
set interfaces irb unit 1000 family inet rpf-check
set interfaces irb unit 1000 family inet address 69.69.69.1/24
set routing-instances INET instance-type vrf
set routing-instances INET system services dhcp-local-server group DHCP-TEST
interface irb.1000
set routing-instances INET access address-assignment pool DHCP-TEST family inet
network 69.69.69.0/24
set routing-instances INET access address-assignment pool DHCP-TEST family inet
range DHCP-TEST low 69.69.69.2
set routing-instances INET access address-assignment pool DHCP-TEST family inet
range DHCP-TEST high 69.69.69.254
set routing-instances INET access address-assignment pool DHCP-TEST family inet
dhcp-attributes name-server 66.207.192.6
set routing-instances INET access address-assignment pool DHCP-TEST family inet
dhcp-attributes name-server 206.223.173.7
set routing-instances INET access address-assignment pool DHCP-TEST family inet
dhcp-attributes router 69.69.69.1
set routing-instances INET interface irb.1000
set routing-instances INET route-distinguisher 21949:4
set routing-instances INET vrf-target target:21949:4
ario@lab01.juniper# run show dhcp server binding routing-instance INET
[edit]
ario@lab01.juniper# run show arp vpn INET
[edit]
ario@lab01.juniper#
After I run dhclient on my Linux box, I’m served a lease with no issues at all:
ario@lab01.juniper# run show dhcp server binding routing-instance INET
IP address Session Id Hardware address Expires State
Interface
69.69.69.5 15 00:0c:bd:08:80:9d 86370 BOUND irb.1000
[edit]
ario@lab01.juniper# run show interfaces irb.1000 extensive | match RPF
Flags: Sendbcast-pkt-to-re, uRPF
RPF Failures: Packets: 0, Bytes: 0
[edit]
ario@lab01.juniper# run show arp vpn INET
MAC Address Address Name Interface
Flags
00:0c:bd:08:80:9d 69.69.69.5 nj-69-69-69-5.sta.embarqh irb.1000
[ge-0/2/2.0] none
[edit]
ario@lab01.juniper#
While I don’t see any specific reference in the docs to differences in
behaviour using irb interfaces, is it possible there are in fact differences
and I just haven’t found the correct docs that outline what they are? Or is
there something else that I’m missing?
[1]http://www.juniper.net/documentation/en_US/junos14.2/topics/usage-guidelines/interfaces-configuring-unicast-rpf.html
Thanks in advance!
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
