No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
URPF Configuration Commands

URPF Configuration Commands

NOTE:
CE6810LI does not support URPF.

ip urpf disable

Function

The ip urpf disable command configures URPF check disabling for the specified traffic.

The undo ip urpf disable command cancels URPF check disabling for the specified traffic.

By default, URPF check disabling is not configured in a traffic behavior.

NOTE:

CE6870EI does not support this command.

Format

ip urpf disable

undo ip urpf disable

Parameters

None

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After URPF check is enabled on an interface, the device performs the URPF check on all the packets passing through the interface. To prevent the packets of a certain type from being discarded, you can disable URPF check for these packets. For example, if the device is configured to trust all the packets from a certain server, the device does not check these packets. If you need to disable URPF check, you can run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy. When the traffic policy is applied globally or applied to an interface, or a VLAN, the device does not perform URPF check on the traffic that matchesthe traffic classifier rules.

Follow-up Procedure

Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing the action of disabling unicast reverse path forward (URPF) check.

Precautions

The undo ip urpf disable command only cancels URPF check disabling in a traffic behavior. To enable URPF for all flows on an interface, run the urpf (interface view) command.

Example

# Disable the URPF check function of traffic behavior b1.

<HUAWEI> system-view
[~HUAWEI] traffic behavior b1
[*HUAWEI-behavior-b1] ip urpf disable

ip urpf

Function

The ip urpf command configures the URPF check mode.

The undo ip urpf command disables URPF check mode.

By default, URPF check mode is not enabled, If URPF check is enabled on the interface, URPF check is in loose mode.

Format

ip urpf { loose | strict | allow default-route }

undo ip urpf { loose | strict | allow default-route }

Parameters

Parameter Description Value
loose Indicates URPF check in loose mode. A packet can be forwarded as long as the source IP address of the packet exists in the routing table, regardless of whether the inbound interface of the packet matches the outbound interface in the table. -
strict Indicates URPF strict check in strict mode. A packet can be forwarded only when the source IP address of the packet exists in the routing table, and the inbound interface of the packet matches the outbound interface in the table. -
allow-default-route Allows special processing for the default route. -

Views

System view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, VLANIF interface view

NOTE:

On the CE6870EI, the URPF check mode can only be set in the system view. On other models, the URPF check mode cannot be set in the system view.

This command can be run on only the VLANIF interface of a CE6880EI, and only the Layer 3 interfaces of a CE6880EI support this command.

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to the server. DoS attacks aim to occupy many resources by sending a large number of connection requests to servers. The attacked servers cannot respond to authorized users.

URPF check enables the device to check the source IP address in the FIB table against the inbound interface of the packet. If the source IP address does not match the inbound interface of the packet, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

You can configure allow default-route in URPF check to determine processing mode for the default route.
  • If allow default-route is not specified, a packet is discarded when the source IP address is not in the FIB table in either strict mode or loose mode.
  • If allow default-route is specified and the source IP address is not in the FIB enable, note the following points:
    • In strict mode, if the outbound interface of the default route is the same as the inbound interface of the packet, the packet passes the check and is forwarded. Otherwise, the packet is discarded.
    • In loose mode, the packet passes the check and is forwarded no matter whether the outbound interface of the default route is the same as the inbound interface of the packet.

Precautions

You are advised to enable URPF before services are deployed. If you need to enable URPF after services are deployed, you can configure when less traffic is transmitted and ensure that the FIB table reduced by a half can meet network requirements.

Example

# Enable URPF strict check.(CE6870EI)

<HUAWEI> system-view
[~HUAWEI] ip urpf strict

# Enable URPF strict check on 10GE1/0/1.(except CE6870EI and CE6880EI switch)

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] ip urpf strict

# Enable URPF strict check on 10GE1/0/1.(CE6880EI)

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI] undo portswitch
[*HUAWEI-10GE1/0/1] ip urpf strict

ip urpf enable

Function

The ip urpf enable command enables URPF check on an interface.

The undo ip urpf enable command disables URPF check on an interface.

By default, URPF check is disabled on an interface.

Format

ip urpf enable

undo ip urpf enable

Parameters

None

Views

VLANIF interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

NOTE:

URPF check can be configured in the VLANIF interface view only on the CE6870EI and CE6880EI.

This command is supported only on Layer 3 interfaces of the CE6870EI and CE6880EI.

Default Level

2: Configuration level

Usage Guidelines

After the ip urpf enable command is executed, the loose mode is used by default.

NOTE:

On a switch except CE6870EI switches, the URPF check on a Layer 3 interface can be only in loose mode.

On a switch except CE6870EI switches, after MPLS is configured on a Layer 3 interface, the URPF function does not take effect.

Example

# Enable URPF check on VLANIF 100 (CE6870EI and CE6880EI).

<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] quit
[*HUAWEI] interface vlanif 100
[*HUAWEI-Vlanif100] ip urpf enable

# Enable URPF check on 10GE1/0/1 (except CE6870EI and CE6880EI).

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] ip urpf enable
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 52358

Downloads: 339

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next