H3C S9500 Operation Manual-Release1648[v1.24]-02 IP Services Volume

DownLoad Chapters Download(107.53 KB)

09-URPF Configuration
Title Size Download
09-URPF Configuration 107.53 KB

Chapter 1  URPF Configuration

When configuring URPF, go to these sections for information you are interested in:

l           URPF Overview

l           Configuring URPF

l           URPF Configuration Examples

 

&  Note:

The service processor boards mentioned in the chapter refer to LSB1NAMB0 boards.

 

1.1  URPF Overview

Unicast reverse path forwarding (URPF) serves as a safeguard against source address spoofing attacks.

In general, a routing switch routes packets according to their destination. If finding the best routes, routing switches transfer the packets, otherwise, discard the packets.

After URPF is enabled, switches obtain the source addresses and incoming interfaces of packets. Then switches search routes to the destination addresses (that is the source addresses) in routing tables. If the outgoing interfaces are found inconsistent with the incoming interfaces, switches assume the source addresses are forged, and discard the packets.

URPF can prevent malicious attackers from modifying source addresses. The following figure shows the common attack mode.

Figure 1-1 Source address spoofing attacks

Forge packets with source address 2.1.1.1 on Switch A, and send a request to Switch B server. Then Switch B responds to the request and sends packets to the address 2.1.1.1 if Switch B does not perform URPF check. The illegal packets can attack both Switch B and Switch C.

1.2  Configuring URPF

The following section describes the URPF configuration tasks:

l           Configure packet redirection

l           Enable URPF on ports

l           Display port configuration information

l           Clear URPF statistical counters to zero

Use the urpf enable command to enable URPF for a certain VLAN port and specify the service processor board where the port locates. Configure to redirect packets in port view to the service processor board to make data flow reach the service processor board.

 

  Caution:

Because URPF and virtual private LAN service (VPLS) are mutually exclusive, you cannot simultaneously enable URPF and VPLS in the same VLAN interface view.

 

After enabling URPF on a current VLAN port, you can use the display urpf command to view the configuration. If the enabled and specified NAM server processor card is inserted in the slot, you can also view the statistical data related to URPF on the port.

When a VLAN port with URPF enabled runs for a long time, more statistical data enter the counter. Therefore you need to clear statistical data related to URPF on the port. To clear recording statistics of received and rejected data packets on the port, execute the reset urpf statistic command. As a result, the URPF statistical counter is cleared to zero.

Follow these steps to enable URPF on a port and specify the corresponding LSB1NATB boards for handling:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter Ethernet port view

interface ethernetX/1/X

Configure packet redirection

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule ] slot slotnum designated-vlan vlanidex

Required.

The service processor board does not support multicast currently. You can prohibit multicast packets from being redirected to the service processor board through ACL

Quit to system view

quit

Enter VLAN interface view

interface vlan-interface vlan-id

Enable URPF on a port

urpf enable to slot slotid

Required.

Enable URPF in VLAN interface view. Specify corresponding slot of a service processor board to perform URPF check.

By default, URPF is disabled.

Display configuration information

display urpf

Clear URPF statistical counters to zero

reset urpf statistic

 

&  Note:

l      In access control lists, redirection configuration is only valid for permit action of the rule.

l      When you are configuring the traffic-redirect command to redirect packets, you must prohibit multicast packets from being redirected to the service processor board through ACL.

 

1.3  URPF Configuration Examples

1.3.1  Example I

I. Network requirements

What differs from routers is that, for switches, you can enable URPF on VLAN interfaces, and configure only packet redirection on every port. Packets to be checked are sent to the service processor board and then are forwarded or discarded after the system performs URPF procedure on them.

II. Network diagram

Figure 1-2 Network diagram for URPF configuration

III. Configuration procedure

As for Switch B, assume that the service processor board is installed in slot 5, and normal access boards are installed in slot 3 and 3.

# Configure VLAN 1000.

[H3C] vlan 1000

[H3C-vlan1000] port Ethernet 3/1/30

[H3C-vlan1000] port GigabitEthernet6/1/2

[H3C] interface vlan-interface 1000

[H3C-Vlan-interface1000] ip address 10.10.10.1 24

# Configure flow templates. Specify the flow template of the two access boards installed in slot 3 and slot 6 to extract the destination MAC addresses and Ethernet protocol fields of the packets.

[H3C] flow-template user-defined slot 3 dmac 00-00-00 ethernet-protocol

[H3C] flow-template user-defined slot 6 dmac 00-00-00 ethernet-protocol

# Create an ACL of Layer 2.

[H3C]acl number 4000

# Define a rule that permits IP packets whose destination MAC addresses are that of the interface (01-02-03).

[H3C-acl-link-4000] rule 0 permit ip egress 01-02-03 00-00-00

# Configure packet redirecting on the corresponding Ethernet port.

[H3C] interface ethernet 3/1/30

[H3C-Ethernet3/1/30] flow-template user-defined

[H3C-Ethernet3/1/30] traffic-redirect inbound link-group 4000 slot 5 vlan 1000 [H3C-Ethernet3/1/30] quit

[H3C] interface GigabitEthernet 6/1/2

[H3C-GigabitEthernet6/1/2] flow-template user-defined

[H3C-GigabitEthernet6/1/2] traffic-redirect inbound link-group 4000 slot 5 designated-vlan 1000

[H3C-GigabitEthernet6/1/2] quit

# Enable URPF in VLAN 1000.

[H3C] interface vlan-interface 1000

[H3C-Vlan-Interface1000] urpf enable to slot 5

1.3.2  Example II

I. Network requirements

NAM board is placed in slot 5.

Create two virtual interfaces, VLAN interface 1000 and VLAN interface 1001; enable URPF on them and use the NAT service processor board in slot 5 to perform URPF check.

Port Ethernet 6/1/1 is a trunk port, permitting packets of VLAN 1000 and VLAN 1001.

It is required that port Ethernet 6/1/1 performs URPF check on packets of VLAN 1000 and VLAN 1001.

II. Network diagram

Figure 1-3 Network diagram for URPF

III. Configuration procedure

# Configure VLAN information.

[H3C] vlan 1000

[H3C-vlan1000] vlan 1001

[H3C-vlan1001] quit

[H3C] interface ethernet 6/1/1

[H3C-Ethernet6/1/1]quit

[H3C] vlan 1001

[H3C-vlan1001] quit

[H3C] interface vlan-interface 1000

[H3C-Vlan-interface1000] ip address 10.10.10.1 24

[H3C-Vlan-interface1000] interface vlan-interface 1001

[H3C-Vlan-interface1001] ip address 11.11.11.1 24

# Enable URPF on the VLAN interfaces.

[H3C-Vlan-interface1000] urpf enable to slot 5

[H3C-Vlan-interface1000] interface vlan 1001

[H3C-Vlan-interface1001]urpf enable to slot 5

# Create a layer 2 ACL rule

<H3C> system-view

[H3C] acl number 4000

# Permit the IP packets going into VLAN 1000 and the DMAC must be the interface MAC000f-e239-a9b8.

[H3C-acl-link-4000] rule 0 permit ip ingress 1000 egress 000f-e239-a9b8 0000-0000-0000

# Permit the IP packets going into VLAN 1001.

[H3C-acl-link-4000] rule 1 permit ip ingress 1001 egress 000f-e239-a9b8 0000-0000-0000

# Configure a user-defined flow template.

[H3C] flow-template user-defined slot 6 vlanid ethernet-protocol dmac 00-00-00

# Apply the flow template on port Ethernet 6/1/1 and configure traffic redirection.

[H3C-Ethernet6/1/1] flow-template user-defined

[H3C-Ethernet6/2/1] traffic-redirect inbound link-group 4000 rule 0 slot 5 designated-vlan 1000

[H3C-Ethernet6/1/1] traffic-redirect inbound link-group 4000 rule 1 slot 5 designated-vlan 1001

Note that the ingress VLAN IDs configured in the rules added to ACL 4000 must be the same as the ones specified when configuring traffic redirection. The trunk port checks URPF by VLAN.