Juniper. Configuring RPF in Dynamic Profiles

For example, I will configure unicast RPF (reverse-path forwarding) on Juniper MX204.
RPF allows you to reduce the impact of DOS-type attacks on IPv4 and IPv6 interfaces.

Let’s create a filter first:

edit firewall filter rpf-pass-dhcp-ixnfo
set term allow-dhcp from destination-port dhcp
set term allow-dhcp from destination-address
set term allow-dhcp then count rpf-dhcp-traffic
set term allow-dhcp then accept
set term discard-all then discard

And now apply it to the desired dynamic profile:

edit dynamic-profiles
edit DHCP-IP-Demux interfaces demux0 unit "$junos-interface-unit" family inet
set mac-validate strict
set rpf-check fail-filter rpf-pass-dhcp-ixnfo

Unicast RPF has strict and loose modes, dynamic profile uses strict mode by default, an example of enabling free mode:

set rpf-check mode loose

Starting from version 19.1R1, you can view statistics on the dynamic logical interface:

run show interfaces statistics demux0 detail | match RPF

If the dynamic profile is already in use by users, then to apply changes to it, you can end the session (if this is not critical):

run show subscribers
run clear dhcp server binding all

Or you can enable an option that will apply the new version of the dynamic profile to new users, and the old version will be used until the users reconnect:

set system dynamic-profile-options versioning

See also my article:
Juniper MX204 setup

Leave a comment

Leave a Reply