Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-Keychain commands
- 02-Public key management commands
- 03-PKI commands
- 04-Crypto engine commands
- 05-SSH commands
- 06-SSL commands
- 07-Packet filter commands
- 08-DHCP snooping commands
- 09-DHCPv6 snooping commands
- 10-ARP attack protection commands
- 11-ND attack defense commands
- 12-Attack detection and prevention commands
- 13-IP-based attack prevention commands
- 14-IP source guard commands
- 15-uRPF commands
- 16-MACsec commands
- 17-TC commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-uRPF commands | 50.95 KB |
IPv4 uRPF commands
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
display ip urpf [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies the slot number of the device, which is fixed at 1.
Examples
# Display uRPF configuration for the specified slot.
<Sysname> display ip urpf slot 1
Global uRPF configuration information(failed):
Check type: strict
Table 1 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
uRPF check mode: loose or strict. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose | strict }
undo ip urpf
Default
uRPF is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
Usage guidelines
uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.
Configure strict uRPF check for traffic that uses symmetric path and configure loose uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.
· Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict uRPF check on the PE where the PE interface resides.
· Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose uRPF check on the PE where the PE interface resides.
If the specified ACL does not exist or does not contain rules, the ACL cannot match any packets.
If the vpn-instance keyword is specified in an ACL rule, the rule applies only to VPN packets. If the vpn-instance keyword is not specified in an ACL rule, the rule applies only to public network packets.
Examples
# Enable strict uRPF check globally.
<Sysname> system-view
[Sysname] ip urpf strict
Related commands
display ip urpf
