Login
- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Keychain commands
- 08-Public key management commands
- 09-PKI commands
- 10-IPsec commands
- 11-SSH commands
- 12-SSL commands
- 13-Attack detection and prevention commands
- 14-TCP attack prevention commands
- 15-IP source guard commands
- 16-ARP attack protection commands
- 17-ND attack defense commands
- 18-uRPF commands
- 19-MFF commands
- 20-FIPS commands
- 21-MACsec commands
- 22-802.1X client commands
- 23-Web authentication commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-uRPF commands | 39.97 KB |
IPv4 uRPF commands
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
In standalone mode:
display ip urpf [ slot slot-number ]
In IRF mode:
display ip urpf [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays uRPF configuration for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device or specifies a PEX. The chassis-number argument represents the member ID of the IRF member device or the virtual chassis number of the PEX. The slot-number argument represents the slot number of the card or PEX. On an IRF fabric, this command displays uRPF configuration for all cards if you do not specify a card. On an IRF 3 system, this command displays uRPF configuration for all cards and PEXs if you do not specify a card or PEX. (In IRF mode.)
Examples
# (In standalone mode.) Display uRPF configuration for the specified slot.
<Sysname> display ip urpf slot 1
Global uRPF configuration information(failed):
Check type: strict
Allow default route
Table 1 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose [ allow-default-route ] | strict [ allow-default-route ] }
undo ip urpf
Default
uRPF is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry. You can enable strict uRPF check only in VLAN interface view.
allow-default-route: Allows using the default route for uRPF check.
Usage guidelines
uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.
Configure strict uRPF check for traffic that uses symmetric path and configure loose uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.
· Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict uRPF check on the PE interface.
· Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose uRPF check on the PE interface.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE that has a default route pointing to the PE, specify the allow-default-route keyword.
Examples
# Enable strict uRPF check globally.
<Sysname> system-view
[Sysname] ip urpf strict
Related commands
display ip urpf
IPv6 uRPF commands
display ipv6 urpf
Use display ipv6 urpf to display IPv6 uRPF configuration.
Syntax
In standalone mode:
display ipv6 urpf [ slot slot-number ]
In IRF mode:
display ipv6 urpf [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 uRPF configuration for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device or specifies a PEX. The chassis-number argument represents the member ID of the IRF member device or the virtual chassis number of the PEX. The slot-number argument represents the slot number of the card or PEX. On an IRF fabric, this command displays IPv6 uRPF configuration for all cards if you do not specify a card. On an IRF 3 system, this command displays IPv6 uRPF configuration for all cards and PEXs if you do not specify a card or PEX. (In IRF mode.)
Examples
# (In standalone mode.) Display IPv6 uRPF configuration for the specified slot.
<Sysname> display ipv6 urpf slot 1
Global IPv6 uRPF configuration information(failed):
Check type: strict
Allow default route
Table 2 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the IPv6 uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
IPv6 uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
ipv6 urpf
Use ipv6 urpf to enable IPv6 uRPF.
Use undo ipv6 urpf to disable IPv6 uRPF.
Syntax
ipv6 urpf { loose | strict } [ allow-default-route ]
undo ipv6 urpf
Default
IPv6 uRPF is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
strict: Enables strict IPv6 uRPF check. To pass strict IPv6 uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of an IPv6 FIB entry.
allow-default-route: Allows using the default route for IPv6 uRPF check.
Usage guidelines
IPv6 uRPF can be deployed on a CE or on a PE connected to either a CE or an ISP.
Configure strict IPv6 uRPF check for traffic that uses symmetric path and configure loose IPv6 uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.
· Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict IPv6 uRPF check on the PE interface.
· Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose IPv6 uRPF check on the PE interface.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE that has a default route pointing to the PE, specify the allow-default-route keyword.
Examples
# Enable strict IPv6 uRPF check globally.
<Sysname> system-view
[Sysname] ipv6 urpf strict
Related commands
display ipv6 urpf
