11-Security Command Reference

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsCommandCommand ReferencesH3C VSR Series Virtual Services Routers Command References(V7)-R0621-6W30011-Security Command Reference
24-uRPF commands
Title Size Download
24-uRPF commands 63.34 KB

IPv4 uRPF commands

display ip urpf

Use display ip urpf to display uRPF configuration.

Syntax

In standalone mode:

display ip urpf [ interface interface-type interface-number ]

In IRF mode:

display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays uRPF configuration for all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display uRPF configuration on the specified interface.

<Sysname> display ip urpf interface gigabitethernet 1/0

uRPF configuration information of interface GigabitEthernet1/0(failed):

   Check type: strict

   Allow default route

   Link check

   Suppress drop ACL: 3000

# (In standalone mode.) Display uRPF configuration.

<Sysname> display ip urpf

Global uRPF configuration information(failed):

   Check type: strict

   Allow default route

# (In IRF mode.) Display uRPF configuration for the specified slot.

<Sysname> display ip urpf slot 1

Global uRPF configuration information(failed):

   Check type: strict

   Allow default route

# (In IRF mode.) Display uRPF configuration on the specified interface.

<Sysname> display ip urpf interface gigabitethernet 1/0 slot 1

uRPF configuration information of interface GigabitEthernet1/0(failed):

   Check type: loose

   Allow default route

   Suppress drop ACL: 2000

Table 1 Command output

Field

Description

(failed)

The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources.

This field is not displayed if the delivery is successful.

Check type

uRPF check mode: loose or strict.

Allow default route

Using the default route is allowed.

Link check

Link layer check is enabled.

Suppress drop ACL

ACL used for drop suppression.

 

ip urpf

Use ip urpf to enable uRPF.

Use undo ip urpf to disable uRPF.

Syntax

ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] }

undo ip urpf

Default

uRPF is disabled.

Views

System view

Interface view

Predefined user roles

network-admin

Parameters

loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.

strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry. You can enable strict uRPF check only in VLAN interface view.

allow-default-route: Allows using the default route for uRPF check.

acl acl-number: Specifies an ACL by its number.

·     For a basic ACL, the value range is 2000 to 2999.

·     For an advanced ACL, the value range is 3000 to 3999.

link-check: Enables link layer check (Ethernet link).

Usage guidelines

uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.

Configure strict uRPF check for traffic that uses symmetric path and configure loose uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.

·     Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict uRPF checkon the PE interface.

·     Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose uRPF checkon the PE interface.

Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, specify the allow-default-route keyword.

You can use an ACL to match specific packets, so they are forwarded even if they fail to pass uRPF check.

If a Layer 3 PE interface connects to a large number of PCs, configure the link-check keyword on the interface to enable link layer check. uRPF checks the validity of the source MAC address.

Examples

# Enable strict uRPF check globally.

<Sysname> system-view

[Sysname] ip urpf strict

# Configure loose uRPF check on interface GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] ip urpf loose

Related commands

display ip urpf


IPv6 uRPF commands

display ipv6 urpf

Use display ipv6 urpf to display IPv6 uRPF configuration.

Syntax

In standalone mode:

display ipv6 urpf [ interface interface-type interface-number ]

In IRF mode:

display ipv6 urpf [ interface interface-type interface-number ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 uRPF configuration for all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display IPv6 uRPF configuration on the specified interface.

<Sysname> display ipv6 urpf interface gigabitethernet 1/0

IPv6 uRPF configuration information of interface GigabitEthernet1/0(failed):

   Check type: loose

   Allow default route

   Suppress drop ACL: 2000

# (In standalone mode.) Display IPv6 uRPF configuration.

<Sysname> display ipv6 urpf

Global IPv6 uRPF configuration information(failed):

   Check type: strict

   Allow default route

# (In IRF mode.) Display IPv6 uRPF configuration for the specified slot.

<Sysname> display ipv6 urpf slot 1

Global IPv6 uRPF configuration information(failed):

   Check type: strict

   Allow default route

# (In IRF mode.) Display IPv6 uRPF configuration on the specified interface.

<Sysname> display ipv6 urpf interface gigabitethernet 1/0 slot 1

IPv6 uRPF configuration information of interface GigabitEthernet1/0(failed):

   Check type: loose

   Allow default route

   Suppress drop ACL: 2000

Table 2 Command output

Field

Description

(failed)

The system failed to deliver the IPv6 uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful.

Check type

IPv6 uRPF check mode: loose or strict.

Allow default route

Using the default route is allowed.

Suppress drop ACL

IPv6 ACL used for drop suppression.

 

ipv6 urpf

Use ipv6 urpf to enable IPv6 uRPF.

Use undo ipv6 urpf to disable IPv6 uRPF.

Syntax

ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

undo ipv6 urpf

Default

IPv6 uRPF is disabled.

Views

System view

Interface view

Predefined user roles

network-admin

Parameters

loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.

strict: Enables strict IPv6 uRPF check. To pass strict IPv6 uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of an IPv6 FIB entry.

allow-default-route: Allows using the default route for IPv6 uRPF check.

acl acl-number: Specifies an IPv6 ACL by its number.

·     For a basic IPv6 ACL, the value range is 2000 to 2999.

·     For an advanced IPv6 ACL, the value range is 3000 to 3999.

Usage guidelines

IPv6 uRPF can be deployed on a CE or on a PE connected to either a CE or an ISP.

Configure strict IPv6 uRPF check for traffic that uses symmetric path and configure loose IPv6 uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.

·     Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict IPv6 uRPF checkon the PE interface.

·     Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose IPv6 uRPF checkon the PE interface.

You can use an ACL to match specific packets, so they are forwarded even if they fail to pass IPv6 uRPF check.

Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, specify the allow-default-route keyword.

Examples

# Enable strict IPv6 uRPF check globally.

<Sysname> system-view

[Sysname] ipv6 urpf strict

# Configure loose IPv6 uRPF check on interface GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] ipv6 urpf loose

Related commands

display ipv6 urpf