For example, I will configure unicast RPF (reverse-path forwarding) on Juniper MX204.
RPF allows you to reduce the impact of DOS-type attacks on IPv4 and IPv6 interfaces.
Let’s create a filter first:
edit firewall filter rpf-pass-dhcp-ixnfo set term allow-dhcp from destination-port dhcp set term allow-dhcp from destination-address 255.255.255.255/32 set term allow-dhcp then count rpf-dhcp-traffic set term allow-dhcp then accept set term discard-all then discard
And now apply it to the desired dynamic profile:
edit dynamic-profiles edit DHCP-IP-Demux interfaces demux0 unit "$junos-interface-unit" family inet set mac-validate strict set rpf-check fail-filter rpf-pass-dhcp-ixnfo
Unicast RPF has strict and loose modes, dynamic profile uses strict mode by default, an example of enabling free mode:
set rpf-check mode loose
Starting from version 19.1R1, you can view statistics on the dynamic logical interface:
run show interfaces statistics demux0 detail | match RPF
If the dynamic profile is already in use by users, then to apply changes to it, you can end the session (if this is not critical):
run show subscribers run clear dhcp server binding all commit
Or you can enable an option that will apply the new version of the dynamic profile to new users, and the old version will be used until the users reconnect:
set system dynamic-profile-options versioning
See also my article:
Juniper MX204 setup