- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Attack detection and prevention commands
- 10-IP source guard commands
- 11-ARP attack protection commands
- 12-ND attack defense commands
- 13-uRPF commands
- 14-Crypto engine commands
- Related Documents
-
Title | Size | Download |
---|---|---|
13-uRPF commands | 47.77 KB |
IPv4 uRPF commands
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays uRPF configuration for all cards.
Examples
# Display uRPF configuration on the specified interface.
<Sysname> display ip urpf interface hundredgige 1/0/1 slot 1
uRPF configuration information of interface HundredGigE1/0/1(failed):
Check type: loose
# Display uRPF configuration for the specified slot.
<Sysname> display ip urpf slot 1
Global uRPF configuration information(failed):
Check type: strict
Table 1 Command output
Field |
Description |
Global uRPF configuration information |
Information about global uRPF configuration. |
uRPF configuration information of interface |
Information about interface-specific uRPF configuration. |
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
Check type |
uRPF check mode: loose or strict. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose | strict }
undo ip urpf
Default
uRPF is disabled.
Views
System view
Interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
Usage guidelines
uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.
Configure strict uRPF check for traffic that uses symmetric path and configure loose uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.
· Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict uRPF check on the PE interface or for the security zone to which the PE interface belongs.
· Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose uRPF check on the PE interface or for the security zone to which the PE interface belongs.
Examples
# Enable strict uRPF check globally.
<Sysname> system-view
[Sysname] ip urpf strict
# Configure loose uRPF check on interface HundredGigE 1/0/1.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ip urpf loose
Related commands
display ip urpf