No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
URPF Configuration Commands

URPF Configuration Commands

Command Support

This command is only supported by S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

urpf (interface view)

Function

The urpf command enables URPF on an interface and configures the URPF mode.

The undo urpf command disables URPF on an interface.

By default, URPF is disabled on an interface.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

For the S5720EI, S6720EI, and S6720S-EI, only Layer 2 Ethernet interfaces support URPF strict check.

Format

urpf { loose | strict } [ allow-default-route ]

undo urpf

Parameters

Parameter Description Value
loose Indicates URPF check in loose mode. A packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route. -
strict Indicates URPF check in strict mode. A packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route. -
allow-default-route Allows the route to the source IP address of the packet to be configured as the default route.

If this parameter is not configured, the device does not allow the route to the source IP address of the packet to be configured as the default route during the URPF check.

-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:
  • Strict mode

    In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

    If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.

  • Loose mode

    In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

    If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Prerequisites

For the S5720EI, S6720EI, and S6720S-EI, configurations on the interface take effect only after global URPF is enabled using the urpf (system view) command.

Precautions

In the Eth-Trunk interface view, this command conflicts with the service type tunnel command; therefore, the two commands cannot be run in the same Eth-Trunk interface view.

For the S6720EI and S6720S-EI, the allow-default-route parameter does not take effect when the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command.

Example

# Enable URPF strict check on a Layer 2 interface GE0/0/1 and allow the route to the source IP address of the packet to be configured as the default route.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] urpf strict allow-default-route
# Enable URPF loose check on a Layer 3 interface GE0/0/2 and allow the route to the source IP address of the packet to be configured as the default route.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] undo portswitch
[HUAWEI-GigabitEthernet0/0/2] urpf loose allow-default-route

urpf (system view)

Function

The urpf command enables global URPF.

The undo urpf command disables global URPF.

By default, the switch does not enable global URPF.

NOTE:

S5720HI does not support this command.

Format

For S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, and S6720S-SI:

urpf [ slot slot-id ]

undo urpf [ slot slot-id ]

For S5720EI, S6720EI, and S6720S-EI:

urpf slot slot-id [ based-logic-port ]

undo urpf slot slot-id [ based-logic-port ]

Parameters

Parameter Description Value
slot slot-id
  • Specifies the slot ID if stacking is not configured.
  • Specifies the stack ID if stacking is configured.
Set the value according to the device configuration.
based-logic-port
  • If this parameter is specified, URPF check configured on logical interfaces takes effect, including VLANIF interfaces and subinterfaces, and URPF check configured on Ethernet interfaces does not take effect, including Layer 2 and Layer 3 Ethernet interfaces.
  • If this parameter is not specified, URPF check configured on Ethernet interfaces takes effect, and URPF check configured on logical interfaces does not take effect.
-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:
  • Strict mode

    In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

    If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.

  • Loose mode

    In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

    If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Precautions

  • Enabling or disabling global URPF will affect packet forwarding in a short period of time.
  • The URPF check enabled by running the urpf (system view) command takes effect only on the master switch in a stack.
  • The S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, and S6720S-SI only support URPF strict check.
  • For S5720EI, S6720EI, and S6720S-EI, you are advised to enable URPF before services are deployed. If you need to enable URPF after services are deployed, you can configure when less traffic is transmitted and ensure that the FIB table reduced by a half can meet network requirements.
  • If both the urpf slot slot-id and urpf slot slot-id based-logic-port commands are executed, the last configured one takes effect.

Follow-up Procedure

For S5720EI, S6720EI, and S6720S-EI, run the urpf (interface view) command to configure the URPF check function on interfaces.

Example

# Enable global URPF on the device.

<HUAWEI> system-view
[HUAWEI] urpf slot 0
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]:y
# Change URPF from Ethernet interface-based to logical interface-based.
<HUAWEI> system-view
[HUAWEI] urpf slot 0 based-logic-port
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from physical interface-based to logical interface-based. The URPF configuration on all Layer 2 or Layer 3 physical interfaces of the card will become invalid. Are you sure to continue? [Y/N]: y
# Change URPF from logical interface-based to Ethernet interface-based.
<HUAWEI> system-view
[HUAWEI] urpf slot 0
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from logical interface-based to physical interface-based. The URPF configuration on all sub-interfaces or VLANIF interfaces of the card will become invalid. Are you sure to continue? [Y/N]: y
Related Topics
Translation
Download
Updated: 2019-10-09

Document ID: EDOC1000178165

Views: 47388

Downloads: 1159

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next