- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Portal commands
- 03-User profile commands
- 04-Password control commands
- 05-Keychain commands
- 06-Public key management commands
- 07-PKI commands
- 08-IPsec commands
- 09-Group domain VPN commands
- 10-SSH commands
- 11-SSL commands
- 12-SSL VPN commands
- 13-ASPF commands
- 14-APR commands
- 15-Session management commands
- 16-Connection limit commands
- 17-Object group commands
- 18-Object policy commands
- 19-Attack detection and prevention commands
- 20-ARP attack protection commands
- 21-ND attack defense commands
- 22-uRPF commands
- 23-Crypto engine commands
- 24-FIPS commands
- 25-SMA commands
- Related Documents
-
Title | Size | Download |
---|---|---|
22-uRPF commands | 68.21 KB |
display ip urpf (for interfaces)
display ip urpf (for security zones)
display ip urpf statistics security-zone
reset ip urpf statistics security-zone
display ipv6 urpf (for interfaces)
display ipv6 urpf (for security zones)
display ipv6 urpf statistics security-zone
reset ipv6 urpf statistics security-zone
IPv4 uRPF commands
display ip urpf (for interfaces)
Use display ip urpf to display uRPF configuration.
Syntax
In standalone mode:
display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
display ip urpf [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays uRPF configuration for all member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display uRPF configuration on GigabitEthernet 1/1/1.
<Sysname> display ip urpf interface gigabitethernet1/1/1 slot 0
uRPF configuration information of interface GigabitEthernet1/1/1:
Check type: strict
Allow default route
Link check
Suppress drop ACL: 2000
# (In IRF mode.) Display uRPF configuration on GigabitEthernet 1/1/1/1.
<Sysname> display ip urpf interface gigabitethernet1/1/1/1 chassis 1 slot 0
uRPF configuration information of interface GigabitEthernet1/1/1/1:
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 1 Command output
Field |
Description |
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
Check type |
uRPF check mode: loose or strict. |
Allow default route |
Using the default route is allowed. |
Link check |
Link layer check is enabled. |
Suppress drop ACL |
ACL used for drop suppression. |
display ip urpf (for security zones)
Use display ip urpf to display uRPF configuration.
display ip urpf [ security-zone zone-name ] [ slot slot-number ]
display ip urpf [ security-zone zone-name ] [ chassis chassis-number slot slot-number ]
Any view
network-admin
security-zone zone-name: Specifies a security zone by its name, a case-insensitive string of 1 to 31 characters. The string cannot include hyphens (-).
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays uRPF configuration for all member devices. (In IRF mode.)
# (In standalone mode.) Display uRPF configuration for security zone Untrust.
<Sysname> display ip urpf security-zone Untrust slot 1
uRPF configuration information of security-zone Untrust:
Check type: strict
Allow default route
Link check
Suppress drop ACL: 3000
# (In IRF mode.) Display uRPF configuration for security zone Untrust.
<Sysname> display ip urpf security-zone Untrust chassis 1 slot 1
uRPF configuration information of security-zone Untrust:
Check type: strict
Allow default route
Link check
Suppress drop ACL: 3000
Table 2 Command output
Description |
|
This field is not displayed if the delivery is successful. |
|
Using the default route is allowed. |
|
Link layer check is enabled. |
|
ACL used for drop suppression. |
display ip urpf statistics security-zone
Use display ip urpf statistics security-zone to display uRPF statistics for a security zone.
Syntax
In standalone mode:
display ip urpf statistics security-zone zone-name [ slot slot-number ]
In IRF mode:
display ip urpf statistics security-zone zone-name [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
zone-name: Specifies a security zone by its name, a case-insensitive string of 1 to 31 characters. The string cannot include hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information for all member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display uRPF statistics for security zone Untrust.
<Sysname> display ip urpf statistics security-zone Untrust slot 1
uRPF information:
Drops : 390712
Suppressed drops: 0
Table 3 Command output
Field |
Description |
uRPF information |
uRPF statistics. |
Drops |
Number of dropped packets. |
Suppressed drops |
Number of packets that are not dropped because they match the ACL for drop suppression. |
Related commands
reset ip urpf statistics security-zone
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] }
undo ip urpf
Default
uRPF is disabled.
Views
Interface view
Security zone view
Predefined user roles
network-admin
mdc-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
allow-default-route: Allows using the default route for uRPF check.
acl acl-number: Specifies an ACL by its number.
· For a basic ACL, the value range is 2000 to 2999.
· For an advanced ACL, the value range is 3000 to 3999.
link-check: Enables link layer check (Ethernet link).
Usage guidelines
uRPF can be deployed on a PE connected to a CE or another ISP, or on a CE.
Configure strict uRPF check on a PE interface connected to a CE, and configure loose uRPF check on a PE interface connected to another ISP.
Configure strict uRPF check for the security zone to which a PE interface connected to a CE belongs. Configure loose uRPF check for the security zone to which a PE interface connected to another ISP belongs.
For asymmetrical routing, configure loose uRPF to avoid discarding valid packets. For symmetrical routing, configure strict uRPF. An ISP usually adopts symmetrical routing on a PE device.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE that has a default route pointing to the PE, specify the allow-default-route keyword.
You can use an ACL to match specific packets, so they are forwarded even if they fail to pass uRPF check.
If a Layer 3 PE interface connects to a large number of PCs, configure the link-check keyword on the interface to enable link layer check. uRPF checks the validity of the source MAC address.
Examples
# Configure strict uRPF check on interface GigabitEthernet 1/1/2 and allow using the default route and ACL 2999 to match packets.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/2
[Sysname-GigabitEthernet1/1/2] ip urpf strict allow-default-route acl 2999
# Configure loose uRPF check on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] ip urpf loose
# Configure strict uRPF check for the security zone Untrust and allow using the default route and ACL 2999 to match packets.
[Sysname] security-zone name Untrust
[Sysname-security-zone-Untrust] ip urpf strict allow-default-route acl 2999
Related commands
display ip urpf
reset ip urpf statistics security-zone
Use reset ip urpf statistics security-zone to clear uRPF statistics for a security zone.
Syntax
reset ip urpf statistics security-zone zone-name
Views
User view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
zone-name: Specifies a security zone by its name, a case-insensitive string of 1 to 31 characters. The string cannot include hyphens (-).
Examples
# Clear uRPF statistics for security zone Untrust.
<Sysname> reset ip urpf statistics security-zone Untrust
Related commands
display ip urpf statistics security-zone
IPv6 uRPF commands
display ipv6 urpf (for interfaces)
Use display ipv6 urpf to display IPv6 uRPF configuration.
Syntax
In standalone mode:
display ipv6 urpf [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
display ipv6 urpf [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays IPv6 uRPF configuration for all member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display IPv6 uRPF configuration on GigabitEthernet 1/1/1.
<Sysname> display ipv6 urpf interface gigabitethernet1/1/1 slot 0
IPv6 uRPF configuration information of interface GigabitEthernet1/1/1:
Check type: loose
Allow default route
Suppress drop ACL: 2000
# (In IRF mode.) Display IPv6 uRPF configuration on GigabitEthernet 1/1/1/1.
<Sysname> display ipv6 urpf interface gigabitethernet1/1/1/1 chassis 1 slot 0
IPv6 uRPF configuration information of interface GigabitEthernet1/1/1/1:
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 4 Command output
Field |
Description |
(failed) |
The system failed to deliver the IPv6 uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
Check type |
IPv6 uRPF check mode: loose or strict. |
Allow default route |
Using the default route is allowed. |
Suppress drop ACL |
IPv6 ACL used for drop suppression. |
display ipv6 urpf (for security zones)
Use display ipv6 urpf to display IPv6 uRPF configuration.
display ipv6 urpf [ security-zone zone-name ] [ slot slot-number ]
display ipv6 urpf [ security-zone zone-name ] [ chassis chassis-number slot slot-number ]
network-admin
security-zone zone-name: Specifies a security zone by its name, a case-insensitive string of 1 to 31 characters. The string cannot include hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays IPv6 uRPF configuration for all member devices. (In IRF mode.)
# (In standalone mode.) Display IPv6 uRPF configuration for security zone Untrust.
<Sysname> display ipv6 urpf security-zone Untrust slot 1
IPv6 uRPF configuration information of security-zone Untrust:
Check type: loose
Allow default route
Suppress drop ACL: 2000
# (In IRF mode.) Display IPv6 uRPF configuration for security zone Untrust.
<Sysname> display ipv6 urpf security-zone Untrust chassis 1 slot 1
IPv6 uRPF configuration information of security-zone Untrust:
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 5 Command output
Description |
|
IPv6 uRPF check mode: loose or strict. |
|
Using the default route is allowed. |
|
IPv6 ACL used for drop suppression. |
display ipv6 urpf statistics security-zone
Use display ipv6 urpf statistics security-zone to display IPv6 uRPF statistics for a security zone.
Syntax
In standalone mode:
display ipv6 urpf statistics security-zone zone-name [ slot slot-number ]
In IRF mode:
display ipv6 urpf statistics security-zone zone-name [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
zone-name: Specifies a security zone by its name, a case-insensitive string of 1 to 31 characters. The string cannot include hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information for all member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display IPv6 uRPF statistics for security zone Untrust.
<Sysname> display ipv6 urpf statistics security-zone Untrust slot 1
IPv6 uRPF information:
Drops : 390712
Suppressed drops: 0
Table 6 Command output
Field |
Description |
IPv6 uRPF information |
IPv6 uRPF statistics. |
Drops |
Number of dropped packets. |
Suppressed drops |
Number of packets that are not dropped because they match the ACL for drop suppression. |
Related commands
reset ipv6 urpf statistics security-zone
ipv6 urpf
Use ipv6 urpf to enable IPv6 uRPF.
Use undo ipv6 urpf to disable IPv6 uRPF.
Syntax
ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]
undo ipv6 urpf
Default
IPv6 uRPF is disabled.
Views
Interface view
Security zone view
Predefined user roles
network-admin
mdc-admin
Parameters
loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
strict: Enables strict IPv6 uRPF check. To pass strict IPv6 uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of an IPv6 FIB entry.
allow-default-route: Allows using the default route for IPv6 uRPF check.
acl acl-number: Specifies an IPv6 ACL by its number.
· For a basic IPv6 ACL, the value range is 2000 to 2999.
· For an advanced IPv6 ACL, the value range is 3000 to 3999.
Usage guidelines
IPv6 uRPF can be deployed on a CE or on a PE connected to either a CE or another ISP.
Configure strict IPv6 uRPF check on a PE interface connected to a CE, and configure loose IPv6 uRPF check on a PE interface connected to another ISP.
Configure strict IPv6 uRPF check for the security zone to which a PE interface connected to a CE belongs. Configure loose IPv6 uRPF check for the security zone to which a PE interface connected to another ISP belongs.
For asymmetrical routing, configure loose IPv6 uRPF to avoid discarding valid packets. For symmetrical routing, configure strict IPv6 uRPF. An ISP usually adopts symmetrical routing on a PE device.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE that has a default route pointing to the PE, specify the allow-default-route keyword.
You can use an ACL to match specific packets, so they are forwarded even if they fail to pass IPv6 uRPF check.
Examples
# Configure strict IPv6 uRPF check on interface GigabitEthernet 1/1/2 and allow using the default route and IPv6 ACL 2999 to match packets.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/2
[Sysname-GigabitEthernet1/1/2] ipv6 urpf strict allow-default-route acl 2999
# Configure loose IPv6 uRPF check on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] ipv6 urpf loose
# Configure loose IPv6 uRPF check for the security zone Untrust.
[Sysname] security-zone name Untrust
[Sysname-security-zone-Untrust] ipv6 urpf loose
Related commands
display ipv6 urpf
reset ipv6 urpf statistics security-zone
Use reset ipv6 urpf statistics security-zone to clear IPv6 uRPF statistics for a security zone.
Syntax
reset ipv6 urpf statistics security-zone zone-name
Views
User view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
zone-name: Specifies a security zone by its name, a case-insensitive string of 1 to 31 characters. The string cannot include hyphens (-).
Examples
# Clear IPv6 uRPF statistics for security zone Untrust.
<Sysname> reset ipv6 urpf statistics security-zone Untrust
Related commands
display ipv6 urpf statistics security-zone