No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring URPF

Configuring URPF

This section describes how to configure URPF.

Pre-configuration Tasks

Before configuring URPF, complete the following task:

  • Configuring link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up.
NOTE:

When the system resource mode is set to large route, the CX710 switch module 40GE converged switching plane does not support the URPF function.

Enabling URPF on an Interface

Context

When configuring the URPF check function, you need to enable URPF on the interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    ip urpf enable

    URPF is enabled on the interface.

    By default, URPF check is disabled on an interface.

  4. Run:

    commit

    The configuration is committed.

Configuring the URPF Check Mode on an Interface

Context

In a complicated networking environment, On a complex network, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the invalid packets.

The device provides the following URPF modes to solve the preceding problem:

  • Strict check

    In strict mode, a packet can pass the check only when the source IP address of the packet exists in the Forwarding Information Base (FIB) table and the related entries and interfaces match.

    If route symmetry is ensured, you are advised to use the URPF strict check. For example, if there is only one path between two network edge devices, URPF strict check can be used to ensure network security.

    NOTE:
    • The Layer 3 Ethernet interfaces and Layer 3 Eth-Trunk interfaces do not support the strict mode.
    • When the large-arp mode is configured on a CX710 switch module 40GE converged switching plane, the CX710 switch module 40GE converged switching plane does not support strict URPF. When strict URPF is configured, loose URPF actually takes effect.
  • Loose check

    In loose mode, the device does not check whether the interfaces of packets exist in the FIB table. A packet can pass the check as long as the source IP address of the packet exists in the FIB table.

    If route symmetry is not ensured, you are advised to use the URPF loose check. For example, if there are multiple paths between two network edge devices, URPF loose check can be used to ensure network security.

You are advised to enable URPF before services are deployed. If you need to enable URPF after services are deployed, you can configure when less traffic is transmitted and ensure that the FIB table reduced by a half can meet network requirements.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    ip urpf { loose | strict | allow-default-route }

    The URPF check mode is configured on the interface.

    By default, the URPF check mode is disabled on an interface.

  4. Run:

    commit

    The configuration is committed.

(Optional) Disabling URPF for Specified Traffic

Background

After URPF check is enabled on an interface, the device performs the URPF check on all the packets passing through the interface. To prevent the packets of a certain type from being discarded, you can disable URPF check for these packets. For example, if the device is configured to trust all the packets from a certain server, the device does not check these packets. If you need to disable URPF check, you can run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy. When the traffic policy is applied globally or applied to an interface, or a VLAN, the device does not perform URPF check on the traffic that match the traffic classifier rules.

Procedure
  1. Configure a traffic classifier.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      traffic classifier classifier-name [ type { and | or } ]

      A traffic classifier is created and the traffic classifier view is displayed, or the existing traffic classifier view is displayed.

      and indicates that rules are ANDed with each other.
      • If a traffic classifier contains ACL rules, packets match the traffic classifier only when the packets match one ACL rule and all the non-ACL rules.

      • If a traffic classifier does not contain ACL rules, packets match the traffic classifier only when the packets match all the non-ACL rules.

      or indicates that rules are ORed with each other. Packets match a traffic classifier as long as packets match one rule of the traffic classifier.

      By default, the relationship between rules in a traffic classifier is OR.

    3. Run the following commands as required.

      Matching Rule

      Command

      Remarks

      Inner VLAN IDs in QinQ packets

      if-match inner-vlan start-inner-vlan-id [ to end-inner-vlan-id ]

      -

      802.1p priority in VLAN packets

      if-match 8021p 8021p-value &<1-8>

      Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of 802.1p priorities, the packet that matches one 802.1p priority matches the traffic classifier.

      Inner 802.1p priority in QinQ packets

      if-match inner-8021p 8021p-value &<1-8>

      -

      Outer VLAN ID or inner and outer VLAN IDs of QinQ packets

      if-match vlan start-vlan-id [ to end-vlan-id ] [ inner-vlan inner-vlan-id ] or if-match vlan vlan-id [ inner-vlan start-inner-vlan-id [ to end-inner-vlan-id ] ]

      -

      Drop packet

      if-match discard

      -

      Double tags in QinQ packets

      if-match double-tag

      -

      Destination MAC address

      if-match destination-mac mac-address [ mac-address-mask ]

      -

      Source MAC address

      if-match source-mac mac-address [ mac-address-mask ]

      -

      Protocol type field encapsulated in the Ethernet frame header

      if-match l2-protocol { arp | ip | rarp | protocol-value }

      -

      All packets

      if-match any

      -

      DSCP priority in IP packets

      if-match [ ipv6 ] dscp dscp-value &<1-8>

      • Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of DSCP priorities, the packet that matches one DSCP priority matches the traffic classifier.

      • If the relationship between rules in a traffic classifier is AND, the if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be used in the traffic classifier simultaneously.

      IP precedence in IP packets

      if-match ip-precedence ip-precedence-value &<1-8>

      • The if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be configured in a traffic classifier in which the relationship between rules is AND.

      • Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of IP priorities, the packet that matches one IP priority matches the traffic classifier.

      SYN Flag in the TCP packet header

      if-match tcp-flag { tcp-flag-value | { ack | fin | psh | rst | syn | urg }* }

      -

      Outbound interface

      if-match outbound-interface interface-type interface-number

      The traffic policy containing this matching rule cannot be applied to the outbound direction.

      ACL rule

      if-match acl { acl-number | acl-name }

      NOTE:

      When an ACL is used to define a traffic classification rule, it is recommended that the ACL be configured first.

      Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if an ACL defines many rules, the packet that matches a single ACL rule matches the ACL.

      ACL6 rule

      if-match ipv6 acl { acl-number | acl-name }

      NOTE:

      When an ACL6 is used to define a traffic classification rule, it is recommended that the ACL6 be configured first.

      -

    4. Run:

      commit

      The configuration is committed.

    5. Run:

      quit

      The traffic classifier view is quitted.

  2. Configure a traffic behavior.
    1. Run:

      traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed.

    2. Run:

      ip urpf disable

      URPF check is disabled for the specified traffic.

      By default, URPF check disabling is not configured in a traffic behavior.

    3. Run:

      commit

      The configuration is committed.

    4. Run:

      quit

      Exit from the traffic behavior view.

    5. Run:

      quit

      Exit from the system view.

  3. Configure a traffic policy.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      traffic policy policy-name

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

    3. Run:

      classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      A traffic behavior is bound to a traffic classifier in a traffic policy.

    4. Run:

      commit

      The configuration is committed.

    5. Run:

      quit

      The traffic policy view is quitted.

  4. Apply the traffic policy.
    • Applying a traffic policy to an interface
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        interface interface-type interface-number

        The interface view is displayed.

      3. Run:

        traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the interface.

      4. Run:

        commit

        The configuration is committed.

    • Applying a traffic policy to a VLAN
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        vlan vlan-id

        The VLAN view is displayed.

      3. Run:

        traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the VLAN.

        After a traffic policy is applied, the system performs traffic policing for the packets that belong to a VLAN and match traffic classification rules in the inbound or outbound direction.

      4. Run:

        commit

        The configuration is committed.

    • Applying a traffic policy to the system
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        traffic-policy policy-name global [ slot slot-id ] { inbound | outbound }

        A traffic policy is applied to the system.

      3. Run:

        commit

        The configuration is committed.

Checking the Configuration

Procedure
  • Run the display this command in the interface view to check whether URPF is enabled on the interface.

  • Run the display traffic classifier [ classifier-name ] command to check the traffic classifier configuration on the device.
  • Run the display traffic behavior [ behavior-name ] command to check the traffic behavior configuration on the device.
  • Run the display traffic policy [ policy-name [ classifier classifier-name ] ] command to check the traffic policy configuration on the device.

  • Run the display traffic-policy applied-record [ policy-name ] [ global [ slot slot-id ] | interface interface-type interface-number | vlan vlan-id ] [ inbound | outbound ] command to check the record of the specified traffic policy.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59732

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next