Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Keychain commands
- 10-Public key management commands
- 11-PKI commands
- 12-IPsec commands
- 13-SSH commands
- 14-SSL commands
- 15-Object group commands
- 16-Attack detection and prevention commands
- 17-TCP attack prevention commands
- 18-IP source guard commands
- 19-ARP attack protection commands
- 20-ND attack defense commands
- 21-uRPF commands
- 22-SAVI commands
- 23-SAVA commands
- 24-MFF commands
- 25-Crypto engine commands
- 26-FIPS commands
- 27-MACsec commands
- 28-Microsegmentation commands
- 29-IP-SGT mapping commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-uRPF commands | 61.98 KB |
IPv4 uRPF commands
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays uRPF configuration on the master device.
Examples
# Display uRPF configuration for the specified slot.
<Sysname> display ip urpf slot 1
Global uRPF configuration information(failed):
Check type: strict
Allow default route
# Display uRPF configuration on the specified interface.
<Sysname> display ip urpf interface vlan-interface 10 slot 1
uRPF configuration information of interface Vlan-interface10(failed):
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 1 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
|
Link check |
Link layer check is enabled. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose [ allow-default-route ] | strict [ allow-default-route ] }
undo ip urpf
Default
uRPF is disabled.
Views
System view
Layer 3 interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
allow-default-route: Allows using the default route for uRPF check.
Usage guidelines
|
|
CAUTION: This command is not supported on Layer 2 interfaces. If you configure this command in Layer 2 interface view, the uRPF configuration will take effect in system view. |
uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.
You cannot enable both strict uRPF check and loose IPv6 uRPF check or loose uRPF check and strict IPv6 uRPF check on an interface.
You cannot enable uRPF on a VSI interface or a tunnel interface.
Examples
# Enable strict uRPF check globally.
<Sysname> system-view
[Sysname] ip urpf strict
# Configure loose uRPF check on VLAN-interface 10.
<Sysname> system-view
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ip urpf loose
Related commands
display ip urpf
IPv6 uRPF commands
display ipv6 urpf
Use display ipv6 urpf to display IPv6 uRPF configuration.
Syntax
display ipv6 urpf [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 uRPF configuration on the master device.
Examples
# Display IPv6 uRPF configuration for the specified slot.
<Sysname> display ipv6 urpf slot 1
Global IPv6 uRPF configuration information(failed):
Check type: strict
Allow default route
# Display IPv6 uRPF configuration on the specified interface.
<Sysname> display ipv6 urpf interface vlan-interface 10 slot 1
IPv6 uRPF configuration information of interface Vlan-interface10(failed):
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 2 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the IPv6 uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
IPv6 uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
ipv6 urpf
Use ipv6 urpf to enable IPv6 uRPF.
Use undo ipv6 urpf to disable IPv6 uRPF.
Syntax
ipv6 urpf { loose | strict } [ allow-default-route ]
undo ipv6 urpf
Default
IPv6 uRPF is disabled.
Views
System view
Layer 3 interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
strict: Enables strict IPv6 uRPF check. To pass strict IPv6 uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of an IPv6 FIB entry.
allow-default-route: Allows using the default route for IPv6 uRPF check.
Usage guidelines
|
|
CAUTION: This command is not supported on Layer 2 interfaces. If you configure this command in Layer 2 interface view, the IPv6 uRPF configuration will take effect in system view. |
IPv6 uRPF can be deployed on a CE or on a PE connected to either a CE or an ISP.
You cannot enable both strict IPv6 uRPF check and loose uRPF check or loose IPv6 uRPF check and strict uRPF check on an interface.
You cannot enable IPv6 uRPF on a VSI interface or a tunnel interface.
Examples
# Enable strict IPv6 uRPF check globally.
<Sysname> system-view
[Sysname] ipv6 urpf strict
# Configure loose IPv6 uRPF check on VLAN-interface 10.
<Sysname> system-view
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ipv6 urpf loose
Related commands
display ipv6 urpf
