Example for Configuring URPF (CE12800E)
Networking Requirements
As shown in Figure 15-7, the Switch is connected to the Internet Service Provider (ISP) router through 10GE1/0/1 and connected to user networks through 10GE2/0/1. The administrator wants that the Switch can defend against source address spoofing attacks. If the Switch cannot provide this function, unauthorized users will occupy too many service resources by sending valid service requests, and authorized users cannot communicate with each other due to no response.
Configuration Roadmap
Add the user-side interface 10GE2/0/1 of the switch to a Virtual Local Area Network (VLAN) and configure URPF on the VLANIF interface to prevent source IP address spoofing attacks from users.
Route symmetry is ensured in this example, so the URPF strict check is used.
Procedure
- Configure the URPF check mode on the interface.
<HUAWEI> system-view [~HUAWEI] sysname Switch [*HUAWEI] commit [~Switch] interface 10ge 2/0/1 [~Switch-10GE2/0/1] undo portswitch [*Switch-10GE2/0/1] ip urpf enable [*Switch-10GE2/0/1] ip urpf strict [*Switch-10GE2/0/1] commit [~Switch-10GE2/0/1] quit
- Verify the configuration.
Run the display this command on 10GE2/0/1 to check the URPF configuration.
[~Switch-10GE2/0/1] display this # interface 10GE2/0/1 undo portswitch ip urpf enable ip urpf strict # return