No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
URPF Configuration Commands

URPF Configuration Commands

NOTE:
  • Among the AR500 series routers, AR502G-L-D-H, AR502GR-L-D-H do not support URPF.

ipv6 urpf

Function

The ipv6 urpf command enables URPF check for IPv6 packets on an interface.

The undo ipv6 urpf command disables URPF check for IPv6 packets on an interface.

By default, URPF check for IPv6 packets is disabled on an interface.

Format

ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

undo ipv6 urpf

Parameters

Parameter

Description

Value

loose

Indicates URPF loose check. When the source address of a packet exists in the FIB table, the packet is forwarded according to URPF regardless of whether the outbound interface of the matching entry is the same as the inbound interface of the packet.

-

strict

Indicates URPF strict check. A packet can be forwarded only when the source IP address of the packet exists in the FIB table and the inbound interface of the packet matches the outbound interface in the table.

-

allow-default-route

Allows special processing for the default route.

-

acl acl-number

Indicates URPF check for packets matching a specified ACL. URPF matches only source and destination IP addresses in ACL rules.

The value is an integer that ranges from 2000 to 3999.
  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

allow-default-route determines the processing mode for the default route:
  • If allow-default-route is not specified, a packet is discarded when the source IP address is not in the FIB table in either strict mode or loose mode.
  • If allow-default-route is specified and the source IP address is not in the FIB enable, note the following points:
    • In strict mode, if the outbound interface of the default route is the same as the inbound interface of the packet, the packet passes the check and is forwarded. Otherwise, the packet is discarded.
    • In loose mode, the packet passes the check and is forwarded no matter whether the outbound interface of the default route is the same as the inbound interface of the packet.

Prerequisites

Run the ipv6 command in the system view, and run the ipv6 enable command in the interface view.

Precautions

The ipv6 urpf command cannot be used on Layer 2 interfaces.

Example

# Enable URPF strict check for IPv6 packets on GE0/0/1 and allow special processing for the default route.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ipv6 urpf strict allow-default-route

urpf (interface view)

Function

The urpf command enables URPF check on the interface and configures the URPF check mode.

The undo urpf command disables URPF check on the interface.

By default, URPF check is not enabled on the interface.

Format

urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

undo urpf

Parameters

Parameter Description Value
loose Indicates URPF check in loose mode. A packet can be forwarded as long as the source IP address of the packet exists in the routing table or ARP entry, regardless of whether the inbound interface of the packet matches the outbound interface in the table. -
strict Indicates URPF strict check in strict mode. A packet can be forwarded only when the source IP address of the packet exists in the routing table or ARP entry, and the inbound interface of the packet matches the outbound interface in the table. -
allow-default-route Allows special processing for the default route. -
acl acl-number

Indicates URPF check for packets matching a specified ACL. URPF matches only source and destination IP addresses in ACL rules.

The value is an integer that ranges from 2000 to 3999.
  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to the server. DoS attacks aim to occupy many resources by sending a large number of connection requests to servers. The attacked servers cannot respond to authorized users.

URPF check enables the device to check the source IP address in the FIB table against the inbound interface of the packet. If the source IP address does not match the inbound interface of the packet, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

You can configure allow-default-route in URPF check to determine processing mode for the default route.
  • If allow-default-route is not specified, a packet is discarded when the source IP address is not in the FIB table in either strict mode or loose mode.
  • If allow-default-route is specified and the source IP address is not in the FIB enable, note the following points:
    • In strict mode, if the outbound interface of the default route is the same as the inbound interface of the packet, the packet passes the check and is forwarded. Otherwise, the packet is discarded.
    • In loose mode, the packet passes the check and is forwarded no matter whether the outbound interface of the default route is the same as the inbound interface of the packet.

Example

# Enable URPF strict check on GE1/0/0 and allow special processing for the default route.
<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] urpf strict allow-default-route
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 88816

Downloads: 121

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next