On Wed 2017-Mar-08 12:38:52 -0500, Brian Rak <b...@gameservers.com> wrote:
Is anyone successfully using rpf-check on QFX5100's?I'm getting some really weird behavior.. If I enable uRPF, then disable it again, the device still appears to continue to enforce it. (Spoofed packets continue to be blocked). I have to restart the device in order to fully remove RPF.Also, whenever I enable rpf-check, a whole bunch of legitimate traffic starts getting dropped. My guess is that this is related to the device having redundant uplinks, and an ECMP default route. I can't really confirm this though, since RPF troubleshooting seems non-existent.
Mixing redundant / asymmetric paths and uRPF needs to be done carefully. Are you doing strict or loose RPF? What legitimate traffic is being dropped (e.g. specific types/classes of traffic or seemingly random)? Do you have an exception filter defined to log/catch/exclude certain traffic? E.g. on SRX used as CPE we needed to define an exception filter so that DHCP discover packets don't get dropped.
Is attempting to use RPF here a mistake? I'd really prefer not to have to implement per-port ACLs. We're on 16.1 currently, I'll probably try upgrading once JTAC fixes my account.
-- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal
signature.asc
Description: Digital signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
