No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Basic ACLs to Exclude Valid Packets from URPF Checks

Example for Using Basic ACLs to Exclude Valid Packets from URPF Checks

Networking Requirements

As shown in Figure 1-16, GE1/0/1 of the Switch is connected to users, and GE2/0/1 is connected to the upstream router. To prevent source address spoofing attacks, the administrator configures URPF in strict mode on GE1/0/1 and GE2/0/1. In addition, the administrator does not want the Switch to perform URPF checks on the packets sent by valid user PC1 (

Figure 1-16  Using basic ACLs to exclude valid packets from URPF check

Configuration Roadmap

The following configurations are performed on the Switch. The configuration roadmap is as follows:

  1. Configure URPF to prevent source address spoofing attacks.
  2. Configure a basic ACL and ACL-based traffic classifier to identify packets from IP address
  3. Configure a traffic behavior to disable URPF checks for the specified packets, and then the device does not perform URPF checks on the packets from
  4. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.


  1. Configure the URPF function.

    # Enable the URPF function on LPUs.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] urpf slot 1
    Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
    [Switch] urpf slot 2
    Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y

    # Configure the URPF mode on interfaces.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] urpf strict
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] urpf strict
    [Switch-GigabitEthernet2/0/1] quit

  2. Configure an ACL-based traffic classifier.

    # Define ACL rules.

    [Switch] acl 2000
    [Switch-acl-basic-2000] rule permit source 0
    [Switch-acl-basic-2000] quit

    # Configure the traffic classifier and define ACL rules.

    [Switch] traffic classifier tc1
    [Switch-classifier-tc1] if-match acl 2000
    [Switch-classifier-tc1] quit

  3. Configure a traffic behavior.

    # Define the traffic behavior and disable the URPF function in the traffic behavior view.

    [Switch] traffic behavior tb1
    [Switch-behavior-tb1] ip urpf disable
    [Switch-behavior-tb1] quit

  4. Configure a traffic policy.

    # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.

    [Switch] traffic policy tp1
    [Switch-trafficpolicy-tp1] classifier tc1 behavior tb1
    [Switch-trafficpolicy-tp1] quit

    # Apply the traffic policy to GE1/0/1.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] traffic-policy tp1 inbound
    [Switch-GigabitEthernet1/0/1] quit

  5. Verify the configuration.

    # Check the configuration of ACL rules.

    [Switch] display acl 2000
    Basic ACL 2000, 1 rule
    Acl's step is 5
     rule 5 permit source 0  

    # Check the configuration of the traffic classifier.

    [Switch] display traffic classifier user-defined
      User Defined Classifier Information:
       Classifier: tc1
        Precedence: 5
        Operator: OR
        Rule(s) : if-match acl 2000
    Total classifier number is 1   

    # Check the configuration of the traffic policy.

    [Switch] display traffic policy user-defined tp1
      User Defined Traffic Policy Information:
      Policy: tp1                                                                   
       Classifier: tc1                                                              
        Operator: OR                                                                
         Behavior: tb1                                                              
          Urpf switch: off  

Configuration Files

Switch configuration file

sysname Switch
urpf slot 1
urpf slot 2
acl number 2000
 rule 5 permit source 0 
traffic classifier tc1 operator or precedence 5  
 if-match acl 2000 
traffic behavior tb1
 ip urpf disable
traffic policy tp1 match-order config
 classifier tc1 behavior tb1
interface GigabitEthernet1/0/1
 traffic-policy tp1 inbound                      
 urpf strict 
interface GigabitEthernet2/0/1
 urpf strict  
Updated: 2019-10-18

Document ID: EDOC1000178319

Views: 152601

Downloads: 84

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next