ip-tunnel-rpf-check
Syntax
ip-tunnel-rpf-check {
mode (strict | loose);
fail-filter filter-name;
}
Hierarchy Level
[edit routing-instances routing-instance-name routing-options forwarding-table]
Description
Configure the system to enable anti-spoofing protection for next-hop-based dynamic tunnels, where reverse path forwarding checks are placed to ensure that the tunnel traffic is received from a legitimate source through designated IP tunnel, where the source is reachable on the same tunnel on which the packet was received.
When a packet comes from a nondesignated source, the reverse path forwarding check fails in the strict mode, and passes in the loose mode. When a packet comes from a nonexistent source, the reverse path forwarding check fails.
By default, the reverse path forwarding check is in strict mode, where the packets are not forwarded if the source of the packet is from a nondesignated tunnel.
Options
| mode (strict | loose) | (Optional) Specify the mode of the reverse path forwarding check to enable anti-spoofing protection for next-hop-based dynamic tunnels. In the strict mode (default), the reverse path forwarding check fails when the packet is received from a nondesignated tunnel source. The check passes only for packets from designated tunnels. In the loose mode, the reverse path forwarding check passes even if the packet is received from a nondesignated tunnel source. When the packet is from a nonexistent tunnel source, the reverse path forwarding check fails in both the strict and loose modes.
|
| fail-filter filter-name | (Optional) Attach a filter to the Layer 3 VPN to log packets that failed the reverse path forwarding check. |
Required Privilege Level
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 17.1.