- Table of Contents
-
- 14-Security Command Reference
- 00-Preface
- 01-Keychain commands
- 02-Public key management commands
- 03-PKI commands
- 04-SSH commands
- 05-SSL commands
- 06-Packet filter commands
- 07-DHCP snooping commands
- 08-DHCPv6 snooping commands
- 09-ARP attack protection commands
- 10-ND attack defense commands
- 11-Attack detection and prevention commands
- 12-uRPF commands
- 13-IP source guard commands
- 14-Crypto engine commands
- Related Documents
-
Title | Size | Download |
---|---|---|
12-uRPF commands | 47.36 KB |
IPv4 uRPF commands
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays uRPF configuration for all cards.
Examples
# Display uRPF configuration for the specified slot.
<Sysname> display ip urpf slot 1
Global uRPF configuration information(failed):
Check type: strict
# Display uRPF configuration on the specified interface.
<Sysname> display ip urpf interface hundredgige 1/0/1 slot 1
uRPF configuration information of interface HundredGigE1/0/1(failed):
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 1 Command output
Field |
Description |
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
Check type |
uRPF check mode: loose or strict. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose | strict }
undo ip urpf
Default
uRPF is disabled.
Views
System view
Interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry. You can enable strict uRPF check only in VLAN interface view.
Usage guidelines
uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.
Configure strict uRPF check for traffic that uses symmetric path and configure loose uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.
· Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict uRPF check on the PE interface.
· Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose uRPF check on the PE interface.
Examples
# Enable strict uRPF check globally.
<Sysname> system-view
[Sysname] ip urpf strict
# Configure loose uRPF check on interface HundredGigE 1/0/1.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ip urpf loose
Related commands
display ip urpf