No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
URPF Configuration Commands

URPF Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

ip urpf disable

Function

The ip urpf disable command configures URPF check disabling for the specified traffic.

The undo ip urpf disable command cancels URPF check disabling for the specified traffic.

By default, URPF check disabling is not configured in a traffic behavior.

NOTE:

The SA series cards (except ES0D0X12SA00 card and EH1D2X12SSA0 card) do not support this function.

Format

ip urpf disable

undo ip urpf disable

Parameters

None

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After URPF check is enabled on an interface, the device performs the URPF check on all the packets passing through the interface. To prevent the packets of a certain type from being discarded, you can disable URPF check for these packets. For example, if the device is configured to trust all the packets from a certain server, the device does not check these packets. If you need to disable URPF check, you can run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy. When the traffic policy is applied globally or applied to an interface, a board, or a VLAN, the device does not perform URPF check on the traffic that match the traffic classifier rules.

Follow-up Procedure

Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing the action of disabling unicast reverse path forward (URPF) check.

Precautions

The undo ip urpf disable command only cancels URPF check disabling in a traffic behavior. To enable URPF for all flows on a board or an interface, run the urpf (system view) or urpf (interface view) command.

Example

# Disable the URPF check function of traffic behavior b1.

<HUAWEI> system-view
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] ip urpf disable

urpf (interface view)

Function

The urpf command enables URPF on an interface and configures the URPF mode.

The undo urpf command disables URPF on an interface.

By default, URPF is disabled on an interface.

NOTE:

For the EH1D2X48SEC0, FC series, SC series and EE series cards, only Layer 2 Ethernet interfaces support URPF strict check.

You can configure URPF on VLANIF interfaces and subinterfaces only on the EH1D2X48SEC0 card, FC series cards, SC series cards, EE series cards, X series cards.

Format

urpf { loose | strict } [ allow-default-route ]

undo urpf

Parameters

Parameter Description Value
loose Indicates URPF check in loose mode. A packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route. -
strict Indicates URPF check in strict mode. A packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route. -
allow-default-route Allows the route to the source IP address of the packet to be configured as the default route.

If this parameter is not configured, the device does not allow the route to the source IP address of the packet to be configured as the default route during the URPF check.

-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:
  • Strict mode

    In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

    If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.

  • Loose mode

    In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

    If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Prerequisites

For cards except for X series cards, configurations on the interface take effect only after global URPF is enabled using the urpf (system view) command.

Precautions

In the Eth-Trunk interface view, this command conflicts with the service type tunnel command; therefore, the two commands cannot be run in the same Eth-Trunk interface view.

If URPF strict check is enabled on a Layer 2 Ethernet interface, packets received from sub-interfaces fail to pass the URPF strict check. If URPF loose check is enabled on a Layer 2 Ethernet interface, packets received from sub-interfaces pass the URPF loose check.

For the EH1D2X48SEC0 and ET1D2X48SEC0 cards of the S9700, the allow-default-route parameter does not take effect when the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command.

Example

# Enable URPF strict check on a Layer 2 interface GE1/0/1 and allow the route to the source IP address of the packet to be configured as the default route.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] urpf strict allow-default-route
# Enable URPF loose check on a Layer 3 interface GE1/0/2 and allow the route to the source IP address of the packet to be configured as the default route.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] undo portswitch
[HUAWEI-GigabitEthernet1/0/2] urpf loose allow-default-route

urpf (system view)

Function

The urpf command enables global URPF on an LPU.

The undo urpf command disables global URPF on an LPU.

By default, the switch does not enable global URPF on an LPU.

NOTE:

X series cards do not support this command.

Format

urpf slot slot-id [ based-logic-port ]

undo urpf slot slot-id [ based-logic-port ]

NOTE:

Only EH1D2X48SEC0 card, FC series cards, SC series cards, and EE series cards support based-logic-port.

Parameters

Parameter Description Value
slot slot-id

Specifies the slot ID of an LPU.

Set the value according to the device configuration.
based-logic-port
  • If this parameter is specified, URPF check configured on logical interfaces takes effect, including VLANIF interfaces and subinterfaces, and URPF check configured on Ethernet interfaces does not take effect, including Layer 2 and Layer 3 Ethernet interfaces.
  • If this parameter is not specified, URPF check configured on Ethernet interfaces takes effect, and URPF check configured on logical interfaces does not take effect.
-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:
  • Strict mode

    In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

    If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.

  • Loose mode

    In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

    If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Precautions

  • Enabling or disabling global URPF on an LPU will affect packet forwarding in a short period of time.
  • You are advised to enable URPF before services are deployed. If you need to enable URPF after services are deployed, you can configure when less traffic is transmitted and ensure that the FIB table reduced by a half can meet network requirements. For EC series cards, ED series cards, or EE series cards, you can run the assign resource-mode slot slot-id mode enhanced-ipv4 command to expand FIB entries.
  • If both the urpf slot slot-id and urpf slot slot-id based-logic-port commands are executed, the last configured one takes effect.

Follow-up Procedure

Run the urpf (interface view) command to configure the URPF check function on interfaces.

Example

# Enable global URPF on the LPU in slot 1.

<HUAWEI> system-view
[HUAWEI] urpf slot 1
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]:y
# Change URPF from Ethernet interface-based to logical interface-based.
<HUAWEI> system-view
[HUAWEI] urpf slot 1 based-logic-port
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from physical interface-based to logical interface-based. The URPF configuration on all Layer 2 or Layer 3 physical interfaces of the card will become invalid. Are you sure to continue? [Y/N]: y
# Change URPF from logical interface-based to Ethernet interface-based.
<HUAWEI> system-view
[HUAWEI] urpf slot 1
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from logical interface-based to physical interface-based. The URPF configuration on all sub-interfaces or VLANIF interfaces of the card will become invalid. Are you sure to continue? [Y/N]: y
Related Topics
Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 28986

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next