Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for URPF
This section describes the licensing requirements and limitations for URPF.
Involved Network Elements
Other network elements are not required.
Licensing Requirements
URPF is a basic function of the switch, and as such is controlled by the license for basic software functions. The license for basic software functions has been loaded and activated before delivery. You do not need to manually activate it.
Version Requirements
Table 15-1 Products and minimum version supporting URPF
Product Model |
Minimum Version Required |
|---|---|
CE12804/CE12808/CE12812 |
V100R001C00 |
CE12816 |
V100R003C00 |
CE12804S/CE12808S |
V100R005C00 |
CE12804E/CE12808E/CE12816E |
V200R002C50 |
For details about the mapping between software versions and switch models, see the Hardware Query Tool.
Software version evolution: V100R001C00 -> V100R002C00 -> V100R003C00 -> V100R003C10 -> V100R005C00 -> V100R005C10 -> V100R006C00 -> V200R001C00 -> V200R002C50 -> V200R003C00 -> V200R005C00 -> V200R005C10 -> V200R019C00 -> V200R019C10
Feature Limitations
When deploying URPF on a switch except the CE12800E that has the FD-X series cards installed, pay attention to the following:
- If the source IP address of received packets is a tunnel interface address, URPF strict mode cannot take effect for the packets. Only the loose mode takes effect. URPF check is not supported after packets are decapsulated and forwarded out of the tunnel. (CE12800E)
- URPF check is not performed on redirected packetson the CE12800E that has the ED-E, EG-E, and EGA-E series cards installed.
- When a FIB table contains multiple next-hop addresses (including ECMP/FRR), URPF must be set to loose mode.
- When the device detects that the next hop address corresponding to the source IP address of a data packet in the FIB table is 127.0.0.1, only the URPF loose mode can take effect.
- In non-enhanced mode, the CE12800 does not support IPv6 strict URPF. After URPF is enabled, only loose URPF is provided.
- When the source address of a packet is an IPv6 link-local address (FE80::/10), the strict URPF does not take effect for the packet.
- After URPF is enabled on the ED/EF series cards, the number of IPv4 FIB entries is reduced by half. After URPF is enabled on the F series cards, the number of IPv4 FIB entries delivered to the external TCAM is reduced. As a result, packet loss may occur.
- After URPF is enabled and the card interoperability mode is enhanced, the number of IPv6 FIB entries remains unchanged. In other cases, the number of IPv6 FIB entries decreases, which may cause packet loss. (CE12800)
- It is recommended that URPF be enabled before services are configured. If you need to enable URPF after services are deployed, configure URPF during off-peak hours and ensure that service requirements on the live network can be met even when the maximum number of FIB entries is reduced.
In V100R005C00 and earlier versions, URPF and TRILL cannot be used together. In V100R005C10 and later versions, by default, URPF and TRILL cannot be used together. To use both of them, run the trill adjacency-check disable command first. The TRILL function has a higher priority than URPF. If URPF is configured before TRILL, only TRILL takes effect.
- If a VPN instance is bound to a VLANIF interface or physical interface on the egress PE device, do not configure URPF on the VLANIF interface or physical interface. URPF may cause VPN traffic forwarding failure. (CE12800)
- After the ip routing ignore-mac command is executed to ignore packet destination MAC addresses, the switch still performs Layer 3 forwarding even if the destination MAC address of a received packet is not the MAC address of the local Layer 3 interface, but the switch does not perform URPF check.
- If the source IP address of a packet is on the 127 network segment and the packet is not used to ping the local interface, the packet is discarded.
- URPF check is not supported for BOOTP and DHCP packets with the source IP address being 0.0.0.0 and the destination IP address being 255.255.255.255.
- In V200R005C00 and later versions, the ip urpf enable and system resource fib ipv4 extend mask-length commands are mutually exclusive.
When deploying URPF on the CE12800E that has the FD-X series cards installed, pay attention to the following:
- When a FIB table contains multiple next-hop addresses (including ECMP/FRR), URPF must be set to loose mode.
- When the source address of a packet is an IPv6 link-local address (FE80::/10), the packet is discarded by strict URPF.
- The Layer 3 Ethernet interfaces and Layer 3 Eth-Trunk interfaces do not support the strict mode.
- When the large-arp mode or the UFT flexible resource mode with ARP entries specified is configured on a device, the device does not support strict URPF. When strict URPF is configured, loose URPF actually takes effect.
- After URPF is enabled, the number of IPv4 FIB entries is reduced by half, which may cause packet loss.
- After URPF is enabled, the number of IPv6 FIB entries is reduced, which may cause packet loss.
- It is recommended that URPF be enabled before services are configured. If you need to enable URPF after services are deployed, configure URPF during off-peak hours and ensure that service requirements on the live network can be met even when the maximum number of FIB entries is reduced.
- A device in standard mode does not support URPF.
- In UFT flexible resource mode with specified routing entries, a device does not support URPF.
- URPF check is not supported for BOOTP and DHCP packets with the source IP address being 0.0.0.0 and the destination IP address being 255.255.255.255.
- If the source IP address of a packet is on the 127 network segment and the packet is not used to ping the local interface, the packet is discarded.