No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the URPF Check Mode on an Interface

Configuring the URPF Check Mode on an Interface

Context

In a complicated networking environment, On a complex network, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the invalid packets.

The device provides the following URPF modes to solve the preceding problem:

  • Strict check

    In strict mode, a packet can pass the check only when the source IP address of the packet exists in the Forwarding Information Base (FIB) table and the related entries and interfaces match.

    If route symmetry is ensured, you are advised to use the URPF strict check. For example, if there is only one path between two network edge devices, URPF strict check can be used to ensure network security.

  • Loose check

    In loose mode, the device does not check whether the interfaces of packets exist in the FIB table. A packet can pass the check as long as the source IP address of the packet exists in the FIB table.

    If route symmetry is not ensured, you are advised to use the URPF loose check. For example, if there are multiple paths between two network edge devices, URPF loose check can be used to ensure network security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Configuring URPF check for packets on the interface
    • Configure the URPF check mode for IPv4 packets on the interface.

      Run urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

      The URPF check mode for IPv4 packets is configured on the interface.

    • Configure the URPF check mode for IPv6 packets on the interface.

      Run ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

      The URPF check mode for IPv6 packets is configured on the interface.

      NOTE:

      To configure URPF check for IPv6 packets on an interface, enable the IPv6 function on the interface first. Run the ipv6 command in the system view, and run the ipv6 enable command in the interface view.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112089

Downloads: 204

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next