Login
- Table of Contents
-
- 02-IP Services Volume
- 00-IP Services Volume Organization
- 01-IP Addressing Configuration
- 02-ARP Configuration.doc
- 03-DHCP Configuration.doc
- 04-DNS Configuration
- 05-IP Performance Configuration
- 06-UDP Helper Configuration
- 07-URPF Configuration
- 08-IPv6 Basics Configuration
- 09-Dual Stack Configuration
- 10-Tunneling Configuration
- 11-sFlow Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-URPF Configuration | 45.88 KB |
When configuring URPF, go to these sections for information you are interested in:
URPF Overview
What is URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks.
Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of attacks allows unauthorized users to access the system in the name of authorized users, or even access the system as the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1-1 Attack based on source address spoofing
As shown in Figure 1-1, Switch A originates a request to the server (Switch B) by sending a packet with a forged source IP address of 2.2.2.1/8, and Switch B sends a packet to Switch C at 2.2.2.1/8 in response to the request. Consequently, both Switch B and Switch C are attacked.
URPF can prevent source address spoofing attacks.
How URPF Works
The URPF processing flow is as follows:
l If the source address of a packet is found in the FIB table, URPF does a reverse lookup for the outgoing interfaces of the packet. If at least one outgoing interface matches the incoming interface, the packet passes the check. Otherwise, the packet is dropped. (Reverse lookup means looking up the outgoing interfaces of the packet with the source IP address being the destination IP address.)
l If the source address is not found in the FIB table, the packet will be discarded.
Configuring URPF
Follow these steps to configure URPF:
|
To do... |
Use the command… |
Remarks |
|
Enter system view |
system-view |
–– |
|
Enable URPF check |
ip urpf strict |
Required Disabled by default. |
After URPF is enabled on an S7500E switch, the routing table capacity on a board may decrease to a half. Refer to Table 1-1 for detailed information.
Table 1-1 Routing table capacity decrease details
|
SRPU |
LPU |
Whether the routing table capacity decreases to half |
|
LSQ1SRP1CB, LSQ1MPUA, LSQ1MPUB |
SC board (with the last two letters of the model being SC, such as LSQ1GP48SC) |
Yes for the SC board |
|
LSQ1SRP2XB, LSQ1SRPB, LSQ1CGP24TSC, LSQ1SRPD, LSQ1SRP12GB |
Yes for both the SC board and SRPU |
l The SC board can accommodate at most 12K and 6K IPv4 routes before and after URPF is enabled, and can accommodate at most 6K and 3K IPv6 routes before and after URPF is enabled.
l On the SC board, if the size of IPv4 routes exceeds 6K or that of IPv6 routes exceeds 3K, URPF cannot be enabled to avoid route entry loss.
