- play_arrow Configure Kubernetes and Contrail
- play_arrow CN2 Apstra Integration
- play_arrow CN2 Security
- play_arrow Configure DPDK
- play_arrow Configure Services
- play_arrow Analytics
- Contrail Networking Analytics
- Contrail Networking Metric List
- Kubernetes Metric List
- Cluster Node Metric List
- Contrail Networking Alert List
- vRouter Session Analytics in Contrail Networking
- Centralized Logging
- Port-Based Mirroring
- Configurable Categories of Metrics Collection and Reporting (Tech Preview)
- Juniper CN2 Technology Previews (Tech Previews)
ON THIS PAGE
Configure Reverse Path Forwarding on Virtual Interfaces
Overview
Unicast reverse-path-forwarding (RPF) verifies that a packet is sent from a valid source address by performing an RPF check. RPF check is a validation tool that uses the IP routing table to verify whether the source IP address of an incoming packet is arriving from a valid path. RPF helps reduce forwarding of IP packets that might be spoofing an IP address.
When a packet arrives on an interface, RPF performs a forwarding table lookup on the packet's source IP address and checks the incoming interface. The incoming interface must match the interface on which the packet arrived. If the interface doesn't match, the vRouter drops the packet. If the packet is from a valid path, the vRouter forwards the packet to the destination address.
You can enable or disable source RPF on a per-virtual network basis. By default, RPF is disabled.
RPF enable: Whenever a packet reaches the interface, RPF performs a check on the packet's source IP address. All packets are dropped if the route is not learned by the vRouter. Only packets received from the MAC/IP address allocated to the workload are permitted on an interface.
RPF disable: Packets from any source are accepted on the interface. A forwarding table lookup is not performed on the incoming packet source IP address.
Enable RPF on a Virtual Interface
To enable RPF on a virtual interface, set the rpf variable under
virtualNetworkProperties to enable. For example:
apiVersion: v1
kind: Namespace
metadata:
name: rpf-ns
---
apiVersion: core.contrail.juniper.net/v3
kind: Subnet
metadata:
namespace: rpf-ns
name: rpf-subnet-1
annotations:
core.juniper.net/display-name: Sample Subnet
core.juniper.net/description:
Subnet represents a block of IP addresses and its configuration.
IPAM allocates and releases IP address from that block on demand.
It can be used by different VirtualNetwork in the mean time.
spec:
cidr: "172.20.10.0/24"
---
apiVersion: core.contrail.juniper.net/v3
kind: VirtualNetwork
metadata:
namespace: rpf-ns
name: rpf-vn-1
annotations:
core.juniper.net/display-name: Sample Virtual Network
core.juniper.net/description:
VirtualNetwork is a collection of end points (interface or ip(s) or MAC(s))
that can communicate with each other by default. It is a collection of
subnets whose default gateways are connected by an implicit router
spec:
v4SubnetReference:
apiVersion: core.contrail.juniper.net/v3
kind: Subnet
namespace: rpf-ns
name: rpf-subnet-1
fabricSNAT: true
virtualNetworkProperties:
rpf: enable