Supported Platforms
Example: Configuring Unicast RPF in a Dynamic Profile on MX Series Routers
This example shows how to help defend the router ingress interfaces against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by configuring unicast reverse-path forwarding (RPF) on a customer-edge interface to filter incoming traffic. Unicast RPF verifies the unicast source address of each packet that arrives on an ingress interface where unicast RPF is enabled. Packets that fail verification are silently discarded unless a fail filter performs some other action on them.
Requirements
This example uses the following software and hardware components:
- Junos OS Release 12.3
- An MX Series 3D Universal Edge router
Before you begin:
- Configure the dynamic profile that you intend to use to apply the RPF check.
Overview
Large amounts of unauthorized traffic—such as attempts to flood a network with fake service requests in a denial-of-service (DoS) attack—can consume network resources and deny service to legitimate users. One way to help prevent DoS and distributed denial-of-service (DDoS) attacks is to verify that incoming traffic originates from legitimate network sources.
Unicast RPF helps ensure that a traffic source is legitimate (authorized) by comparing the source address of each packet that arrives on an interface to the forwarding-table entry for its source address. If the router uses the same interface that the packet arrived on to reply to the packet's source, this verifies that the packet originated from an authorized source, and the router forwards the packet. If the router does not use the same interface that the packet arrived on to reply to the packet's source, the packet might have originated from an unauthorized source, and the router discards the packet, or passes it to a fail filter.
The fail filter enables you to set criteria for packets you want to be passed in spite of failing the RPF check, such as DHCP packets, which are dropped by default.
On MX Series routers, you can configure unicast RPF in a dynamic profile to apply the configuration to one or more subscriber interfaces. See Configuring Unicast RPF for more information about the behavior and limitations of unicast RPF on MX Series routers.
In this example, you configure the router to protect against potential DoS and DDoS attacks from the Internet perpetrated through IPv4 packets arriving on dynamically created VLAN demux interfaces. The dynamic profile, vlan-demux-prof, establishes that VLAN demux interfaces are automatically created for subscribers. Unicast RPF is enabled on the dynamic interfaces by the rpf-check term.
By default, unicast RPF prevents Dynamic Host Configuration Protocol (DHCP) packets from being accepted on interfaces to which it applies. When DHCP packets are discarded, no new subscribers can be created by the dynamic profile. To enable interfaces to accept DHCP packets, you must apply a fail filter that properly sorts through the packets that fail the check and identifies the DHCP packets. In this example, you configure the allow-dhcp term in the filter rpf-pass-dhcp. This term matches, counts, and accepts IPv4 packets that are destined for the DHCP port and any address. The default term drops all other packets that fail the RPF check.
This example does not show all possible configuration choices.
Configuration
To enable unicast RPF with a fail filter in a dynamic profile, perform these tasks:
- Configuring the Dynamic Profile to Apply RPF Checking to Dynamic VLAN Demux Interfaces
- Configuring the RPF-Check Fail Filter
Configuring the Dynamic Profile to Apply RPF Checking to Dynamic VLAN Demux Interfaces
CLI Quick Configuration
To quickly configure the dynamic profile to apply unicast RPF to dynamically created VLAN demux interfaces, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure unicast RPF on the router:
- Create a dynamic profile.[edit]user@host# edit dynamic-profiles vlan-demux-prof
- Specify that the dynamic VLAN profile use the demux interface.[edit dynamic-profiles vlan-demux-prof]user@host# edit interfaces demux0
- Specify that the dynamic profile applies the demux interface
unit value to the dynamic VLANs.[edit dynamic-profiles vlan-demux-prof interfaces demux0]user@host# edit unit $junos-interface-unit
- Specify the logical underlying interface for the dynamic
VLANs.[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit]user@host# set demux-options underlying-interface $junos-interface-ifd-name
- Configure the variable that results in dynamically created
VLAN IDs.[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit]user@host# set vlan-id $junos-vlan-id
- Configure the IPv4 address family for the demux interfaces.[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit]user@host# edit family inet
- Configure the unnumbered address for the family.[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit family inet]user@host# set unnumbered-address lo0.0
- Configure unicast RPF and specify the fail filter that
is applied to incoming packets that fail the check.[edit dynamic-profiles vlan-demux-prof interfaces demux0 unit $junos-interface-unit family inet]user@host# set fail-filter fail-filter rpf-pass-dhcp
Configuring the RPF-Check Fail Filter
CLI Quick Configuration
To quickly configure the unicast RPF-check fail filter, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure the RPF-check fail filter:
- Create the fail filter.[edit firewall]user@host# edit family inet filter rpf-pass-dhcp
- Define the filter term that identifies DHCP packets based
on the DHCP destination port, then counts and passes the packets.[edit firewall family inet filter rpf-pass-dhcp]user@host# edit term allow-dhcpuser@host# set from destination-port dhcpuser@host# set from destination-address 255.255.255.255/32user@host# set then count rpf-dhcp-trafficuser@host# set then accept
- Define the filter term that drops all other failed packets.
Results
From configuration mode, confirm the unicast RPF configuration by entering the show dynamic-profiles command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
From configuration mode, confirm the fail filter configuration by entering the show firewall command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is correct, perform these tasks:
Verifying That Unicast RPF Is Enabled on the Router
Purpose
Verify that unicast RPF is enabled.
Action
Verify that unicast RPF is enabled by using the show subscribers extensive command.
user@host> show subscribers extensiveType: VLAN
Logical System: default
Routing Instance: default
Interface: ae0.1073741824
Interface type: Dynamic
Dynamic Profile Name: vlan-demux-prof
State: Active
Session ID: 9
VLAN Id: 100
Login Time: 2011-08-26 08:17:00 PDT
IPv4 rpf-check Fail Filter Name: rpf-pass-dhcp
Meaning
The IPv4 rpf-check Fail Filter Name field displays rpf-pass-dhcp, the name of the fail filter applied by the dynamic profile for IPv4 packets failing the RPF check.
