No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for URPF

Licensing Requirements and Limitations for URPF

Involved Network Elements

Other network elements are not required.

Licensing Requirements

URPF is a basic feature of a switch and is not under license control.

Version Requirements

Table 15-1 Products and minimum version supporting URPF

Product

Minimum Version Required

CE8860EI

V100R006C00

CE8861EI

V200R005C10

CE8868EI

V200R005C10

CE8850-32CQ-EI

V200R002C50

CE8850-64CQ-EI

V200R005C00

CE7850EI

V100R003C00

CE7855EI

V200R001C00

CE6810EI

V100R003C00

CE6850EI

V100R001C00

CE6850-48S6Q-HI

V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/CE6851HI

V100R005C10

CE6855HI

V200R001C00

CE6856HI

V200R002C50

CE6857EI

V200R005C10

CE6860EI

V200R002C50

CE6865EI

V200R005C00

CE6870-24S6CQ-EI/CE6870-48S6CQ-EI

V200R001C00

CE6870-48T6CQ-EI

V200R002C50

CE6875EI

V200R003C00

CE6880EI

V200R002C50

CE5810EI

V100R002C00

CE5850EI

V100R001C00

CE5850HI

V100R003C00

CE5855EI

V100R005C10

CE5880EI

V200R005C10

Feature Limitations

When deploying URPF on the switch except CE6870EI and CE6875EI, pay attention to the following:
  • When a FIB table contains multiple next-hop addresses, URPF must be set to loose mode.
  • After URPF is enabled, the number of IPv4 FIB entries is reduced by half, which may cause packet loss. (except the CE5880EI and CE6880EI)
  • After URPF is enabled, the number of IPv6 FIB entries is reduced, which may cause packet loss. (except the CE5880EI and CE6880EI)
  • It is recommended that URPF be enabled before services are configured. If you need to enable URPF after services are deployed, configure URPF when less traffic is transmitted and ensure that network requirements are met if the number of FIB entries is reduced.
  • When the source address of a packet is an IPv6 link-local address (FE80::/10), the packet is discarded by strict URPF.
  • The Layer 3 Ethernet interfaces and Layer 3 Eth-Trunk interfaces do not support the strict mode (except the CE5880EI and CE6880EI).
  • A device in large-route mode does not support URPF.
  • A device in standard mode does not support URPF (CE6857EI, CE6865EI, CE8850-64CQ-EI, CE8861EI, and CE8868EI).
  • In UFT flexible resource mode with specified routing entries, a device does not support URPF.
  • In the following system resource mode, the device does not support strict URPF. In this case, if the URPF mode is set to strict, the loose URPF mode takes effect.
    • CE5855EI: The system resource mode is standard, large-arp, or super-arp.
    • Devices except for the CE5855EI: The system resource mode is large-arp or the UFT flexible resource mode with ARP entries specified.
  • When an SVF consisting of only fixed switches works in centralized or hybrid forwarding mode, URPF check is not performed for the Layer 3 traffic forwarded on the leaf switch.
  • If the source IP address of a packet is on the 127 network segment and the packet is not used to ping the local interface, the packet is discarded.
  • URPF check is not supported for BOOTP and DHCP packets with the source IP address being 0.0.0.0 and the destination IP address being 255.255.255.255.
When deploying URPF on the CE6870EI and CE6875EI switch, pay attention to the following:
  • After the ip routing ignore-mac command is executed to ignore packet destination MAC addresses, the switch still performs Layer 3 forwarding even if the destination MAC address of a received packet is not the MAC address of the local Layer 3 interface, but the switch does not perform URPF check.
  • When a FIB table contains multiple next-hop addresses, URPF must be set to loose mode.
  • When the device detects that the next hop address corresponding to the source IP address of a data packet in the FIB table is 127.0.0.1, only the URPF loose mode can take effect.
  • If the source IP address in a received packet is the device's local IP address or subnet broadcast address, strict URPF does not take effect and only loose URPF can take effect.
  • If the source IP address of received packets is a tunnel interface address, URPF strict mode cannot take effect for the packets. Only the loose mode takes effect. URPF check is not supported after packets are decapsulated and forwarded out of the tunnel.
  • When the source address of a packet is an IPv6 link-local address (FE80::/10), the strict URPF does not take effect for the packet.
  • By default, URPF and TRILL cannot be used together. To use both of them, run the trill adjacency-check disable command first. The TRILL function has a higher priority than URPF. If URPF is configured before TRILL, only TRILL takes effect.

  • If the source IP address of a packet is on the 127 network segment and the packet is not used to ping the local interface, the packet is discarded.
  • URPF check is not supported for BOOTP and DHCP packets with the source IP address being 0.0.0.0 and the destination IP address being 255.255.255.255.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18224

Downloads: 60

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next