Juniper JNCIA-Junos JN0-104 – Section 7: Routing Policy and Firewall Filters Part 5
April 28, 2023

86. Unicast Reverse Path Forwarding

Let’s now talk about an interesting topic called unicast reverse path forwarding. And let’s understand how this can be used to prevent spoofing of IP addresses. Let’s first start by understanding what is IP spoofing? IP spoofing is a method of attempting to gain access by inserting a false source address in the packet header. This makes the packet appear as if it’s coming from a trusted source. IP spoofing is a common technique used in denial-of-service attacks. Let’s understand this with an example. So here we have a router, router one. And on the interface a G. 0 0 0. It has a connected network, which is 10.1 . 1.0/24. This means that router one can only receive a packet with the source IP address in that range. On the interface G is 0 0 0. Let’s say we have a package like this. We have an incoming packet. Whose source, I.P. address is ten one one six. And it is arriving on a different interface.

Let’s say you eat 0 0 one. What do you think is going on with this packet? Clearly, this packet is using a spoofed source IP address because 10 one one 0/twenty four is attached to GS your 0 0. And that’s the only interface on which that packet should arrive. There’s two ways to deal with this. Number one, we can configure a firewall filter that will drop any packet with that source IP address arriving on any other interface. In this case, G is 0 0 one. Or we can configure unicast reverse path forwarding. Let’s talk about the first method. So here we have the router. We have the same interface, same connected network. And on the other interface, 0 0 one. Let’s say this interface is used to reach the win or the Internet. We want to enable A.I. spoofing or we want to prevent spoofing attacks on that interface so we can configure, if I will filter that looks like this. The filter name is spoof prevention. I have a term called Drop spoofed LAN. It is matching the source address of 10 one one 0/twenty four.

And the action is set to discard. We have a filter here called Spoof Prevention, within which we have defined a term called Drop spoofed LAN, and it’s matching the source address of 10 one one 0/24, which is this connected network. The action is set to discard. For all other packet’s, the action is set to accept and will apply this filter on this interface. This means on this interface G 0 0 one, if we receive a packet with that source, IP address will discard the packet. But if that’s not the case, will allow the packet to go through. This is how we can manually define a filter to prevent spoofing of IP addresses. While this is a workable solution, it is manual. So that means every time we have a change in the network, we’ll have to update our firewall filter. Also, if we have a very large network with lots of devices, this may not be a scalable solution. That’s where unicast reverse path for winning comes into the picture. Unicast reverse part forwarding, or RPF, is a tool to reduce forwarding of IP packets that may be spoofing an address. It performs a route table lookup on an IP packet source address and also checks the incoming interface. If the packet is from a valid path, the router will forward the packet to the destination address.

Otherwise, the packet will be discarded. Unicast reverse path forwarding is supported for IPV, for an IPv6 protocol families. And it’s also supported for the VPN Adria’s family. There are two modes in which we can configure unicast reverse path forwarding. The first is lose mode. When configured this way, we are only checking to see if the incoming packets source address is in the routing table. So if there is a route available for the incoming packet, we accept that packet. But think about this. What if we had a default route configured on the device? As we now know, the default crowd will match all IP addresses because the prefix is 0.01 080/0. That means it will match all the IP addresses. So if we can figure unicast reverse pad forwarding in the Losman with a default froud present on the device, it is going to end up accepting all the packets. The other option is to configure this in a strict more. In the strict, more we perform two checks, it performs the check that is used by the lose more, which means it checks to see if the source address is in the round table.

And it also checks to see if the incoming packet has been received on the interface. That would be used to forward traffic to the source IP address. What does that mean? Let’s say I have a network 10 one one 0/twenty four. That can only be reached via a. 0 0 0. When a packet arrives on the device and if the device is configured for strict mode, it will check to see if that packet has been received on G’s or 0 0 because that’s the only interface to reach that network. So it performs two checks. Does a router exist for that prefix in the routing table and has the packet arrived on the correct interface? By default, unicast reverse pad forwarding operates in strict mode. Now, let’s look at another scenario. We have four hours are one or two or three an four, and they’re connected in this fashion. Ah, one is connected to a device. And our four is connected to the Internet. Let’s say the computer on the left is trying to send a packet to the Internet. So the packet will first reach our one. And from our one, the packet is sent to our two from our two to our four and then to the Internet. Now, when the return packet comes in, it first reaches our four. And at this point, our four has two ways to reach our one.

Our four can go via are two and then which are one, or it can also go to our three and then reach our one. In this case, the path we are to is the active path and the path we are three is the feasible path. This is a common scenario in many organizations. You could have two parts to reach the same destination by default. Unicast reverse path forwarding will only consider the active path. That means if the packet arrives via the feasible path, that packet will be dropped. That’s the default behavior of unicast reverse path forward. Let’s talk more about this. So by default, when Junos performs its RPF check, it only considers the active route to a given destination. In networks where multiple routes exist, meaning different forward and reverse patterns, the default behavior of considering only active routes can cause legitimate traffic to be dropped. To address this, Junos can be configured to consider all feasible routes to a destination when it performs reverse path forwarding.

When configured this way, the system considers all routes it receives to a given destination, even if they are not the active route to the destination. This option should be activated where the possibility of asymmetric routing exists. Meaning different forward and reverse parts. Now, let’s talk about failed filters, fail filters allow you to perform additional processing on packets that have failed the unicast RPF check. So let’s say we have a packet that has been dropped by unicast reverse path forwarding. By applying a failed filter, we can cause that packet to be additionally processed. We can configure a filter that will allow us to process the packet that has been failed by the RPF check. Using the failed filter configuration, we can perform operations like accepting, rejecting, logging, sampling or policing of packets. At this point, you may be wondering why would you want to additionally process a packet that has failed the unicast RPF check? Let’s talk about that. Here’s a couple of used cases to configure a failed filter by configuring a failed filter. We can allow packets that would normally fail in RPF check. An example would be boot P packets or the FCP packets.

These are sent out when the device or the network is initializing. And these packets have a source address of and a destination address of two five five two five five two five five two five five. As you can see, by looking at the source and destination IP addresses, that these packets will fail the RPF check. By configuring a failed filter, we can specify that these packets should be allowed even when the RPF check fails. Another use case for configuring your failed filter is to allow failed packets to be further processed, such as logging or accounting of packets. A failed filter is just like any other firewall filter that you would configure.

The only difference is that it is referenced with the RPF check configuration. But from a configuration standpoint, it is similar to any other firewall filter that you would configure. Here’s an example of a failed filter that will allow the FCP and boot P packet’s. Under the added firewall hierarchy, we have a filter called the FCP would be a term called Allow DTP Poopy. We are matching the source address as and the destination address as two five five two five five two five five. And we are allowing that packet to go through. In the upcoming video, we’ll understand how to enable RPF check on the interface and how to configure a field filter.

87. Configuring Unicast Reverse Path Forwarding

Let’s now understand how to configure unicast reverse path forwarding. The configuration of unicast reverse path forwarding is done at the interface level. So, for example, we’ll start by looking at the interfaces on this device. Rancho interfaces because I’m in the configuration mode and I’m going to match G.E.. Or let’s do run show interfaces, terse. Match G.E., so you can see here. I’ve got a couple of interfaces. G is 0.0.0and G 0 0 one. Let’s enable that on this interface. So the command is set interfaces g e 0 0 one unit 0 Family IsLAN. And if I do a question mark here, you’ll notice we have the option called RPF check that allows you to enable reverse pad forwarding checks on this interface. And that’s about it. That’s the only thing we need to configure to enable this check. Now let’s understand how to configure a failed filter that will allow DHCP and boot P packets. Like we understood earlier, a fail filter is just like any other firewall filter. So we’ll start with added firewall. And we need to provide a filter name. So let’s do edit filter. And let’s give this filter a name, DSC, P. Bush P.. Now we need to add a term and a term and let’s call this allow the FCP boot P. We are going to match the source address, so set from source address. And the source address is

We are also going to match the destination address because these are the values that will be used by a packet that is generated by these protocols. The source address will be all zeros and the destination address will be all to five fives. Let’s do a show. So we’re matching the source address and the destination address. We’ll say set, then accept. Remember, we are trying to configure a firewall filter that will additionally process the packets that have been failed by the RPF check. We want to allow these packets to go through, even if the RPF check fails. So that’s why we are saying set, then accept and for logging purposes, we can also have a counter on it. So let’s do set, then count and we can provide a counter name, the bood P counter. Let’s go one level up and let’s also configure another term to match all other packets. Let’s do set term default. And we want to match all other packets, so we’ll skip the firm statement will directly go to set then and we’ll say reject. We’ll also say.

Scuse me, said, then reject. And we’ll also say, said Van Log. Let’s go up one level and let’s do a show. So we have two terms. The first term is allowed to get S.P. Boot P. That will allow this packet to go through. And any of the packet that has failed, the RPF check will hit this term here and will be rejected. Now, we need to apply this with the RPF check configuration. So we’ll go to the top and we’ll see a set interfaces G 0 0 one unit, 0 family, Einat. And the keyword is RPF Check. And if I do a question mark here. Notice we have the option called fail filter. Failed filter. And now we can reference that filter that we configured, which is the FCP would be. Press enter. So that’s done. Also notice we have the option to change the mode of RPF check by default. It works in strict mode. But if you wanted to change that, we can provide that keyword here. And we have the option to set it to lose more.

Right now, we’ll leave it at the strict mode. One last command that we’re going to talk about is how to enable RPF check to consider feasible Patts as well. We understood that if there are multiple parts to a destination by default, RPF check will only consider the active path. To also consider feasible Patts, we can use this command here, said routing options and the key word we are looking for is forwarding table. Control to exit out set routing options, forwarding table. The key word we’re looking for is unicast reverse path. And if we do a question mark here. Notice we have the option to say, do we want to consider only active parts or active and feasible Patts? So we’ll say feasible parts and press enter. With this configuration, even if you have multiple pads to reach the same destination, they all will be consider when evaluating an RPF check.

88. Conclusion

Welcome back. We’ve now completed all the topics required for the JNCIA Junos certification exam. I’d like to start by thanking you for the opportunity. Before I say goodbye, I’d like to leave you with some exam tips. Number one, use Juniper documentation for additional reading, even though the course covers every topic outlined in the JNCIA year blueprint. I highly recommend using the Juniper documentation as additional reading material. No, to use a lab and practice configuration to reinforce the concepts.

Getting hands on practice will not only improve your chances of passing the exam, but will also improve your confidence of handling a device in a production environment like your office. From the examination perspective, I’ll recommend at least three to five hours of Hands-On practice on a live Junos device. I recommend renting lap time using an online Juniper lab instead of buying a physical SRS device. Number three, use practice tests to gain exam confidence. A practice test will give you an idea of what questions you can expect at the exam. Point number two entry that is using a lab and using a practice test are critical for your success at the exam. Finally, watch the videos again until you’re comfortable with all the topics before I leave you. I’ll request you to please provide feedback about the course. Let us know what you liked. And also let us know what you would like to see as an improvement on the course. A five-star rating will be highly motivating. Please let us know if we’ve earned that from you. Finally, I’d like to wish you good luck and success at the exam. Thank you.  

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!