No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring URPF Check

Configuring URPF Check

Context

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:
  • Strict mode

    In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

    If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.

  • Loose mode

    In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

    If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Procedure

Card

Configuration Logic

Procedure

LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards Enable URPF on the interface and configure the URPF mode.
  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. (Optional) On an Ethernet interface, run undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

  4. Run urpf { loose | strict } [ allow-default-route ]

    URPF is enabled on the interface and the URPF mode is configured.

    By default, URPF is disabled on an interface.

Cards except for LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards
  1. Enable URPF in the system view.
  2. Enable URPF on the interface and configure the URPF mode.
  1. Run system-view

    The system view is displayed.

  2. Run urpf slot slot-id [ based-logic-port ]

    The global URPF is enabled on an LPU.

    By default, global URPF is disabled on the LPU.

    NOTE:

    Only LE2D2X48SEC0 card, FC series cards, SC series cards, and EE series cards support based-logic-port.

    If based-logic-port is specified, URPF can be configured only on logical interfaces (VLANIF interfaces or sub-interfaces), and URPF configured on Ethernet interfaces (Layer 2 or Layer 3 Ethernet interfaces) will become invalid. If based-logic-port is not specified, URPF can be configured only on Ethernet interfaces, and URPF configured on logical interfaces will become invalid.

  3. Run interface interface-type interface-number

    The interface view is displayed.

  4. (Optional) On an Ethernet interface, run undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

  5. Run urpf { loose | strict } [ allow-default-route ]

    URPF is enabled on the interface and the URPF mode is configured.

    By default, URPF is disabled on an interface.

    NOTE:

    For LE2D2X48SEC0, FC series, SC series and EE series cards, only Layer 2 Ethernet interfaces support URPF strict check.

    You can configure URPF on VLANIF interfaces and subinterfaces only on the LE2D2X48SEC0 card, FC series cards, SC series cards, EE series cards, LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards.

    For the LE2D2X48SEC0 card, the allow-default-route parameter does not take effect when the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 125434

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next