Configuring URPF Check

Context

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:

Strict mode

In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.
Loose mode

In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Procedure

Product	Configuration Logic	Procedure
S5720I-SI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720S-SI, and S6720-SI	Enable URPF in the system view (the preceding products support only URPF strict check).	Run system-view The system view is displayed. Run urpf [ slot slot-id ] The global URPF is enabled. By default, global URPF is disabled on a device.
S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S	Enable URPF on the interface and configure the URPF mode.	Run system-view The system view is displayed. Run interface interface-type interface-number The interface view is displayed. (Optional) On an Ethernet interface, run undo portswitch The interface is switched to Layer 3 mode. By default, an Ethernet interface works in Layer 2 mode. Run urpf { loose \| strict } [ allow-default-route ] URPF is enabled on the interface and the URPF mode is configured. By default, URPF is disabled on an interface.
S5720-EI, S5735-S, S5735S-S, S5735-S-I, S6720-EI, and S6720S-EI	Enable URPF in the system view. Enable URPF on the interface and configure the URPF mode.	Run system-view The system view is displayed. Run urpf slot slot-id [ based-logic-port ] The global URPF is enabled. By default, global URPF is disabled. NOTE: If based-logic-port is specified, URPF can be configured only on logical interfaces (VLANIF interfaces or sub-interfaces), and URPF configured on Ethernet interfaces (Layer 2 or Layer 3 Ethernet interfaces) will become invalid. If based-logic-port is not specified, URPF can be configured only on Ethernet interfaces, and URPF configured on logical interfaces will become invalid. Run interface interface-type interface-number The interface view is displayed. (Optional) On an Ethernet interface, run undo portswitch The interface is switched to Layer 3 mode. By default, an Ethernet interface works in Layer 2 mode. Run urpf { loose \| strict } [ allow-default-route ] URPF is enabled on the interface and the URPF mode is configured. By default, URPF is disabled on an interface. NOTE: Only Layer 2 Ethernet interfaces support URPF strict check. For the S6720-EI and S6720S-EI, even if no default route is configured, the urpf { loose \| strict } allow-default-route command takes effect when the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command. For the S5735-S-I, only URPF check in loose mode is supported. For the S5735-S and S5735S-S, V200R019C10 and later versions support only URPF check in loose mode. If URPF check in strict mode is configured in V200R019C00, the configuration will be changed to URPF check in loose mode after the version is upgraded to V200R019C10 or later.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support Ethernet sub-interfaces.
Only hybrid and trunk interfaces on the preceding switches support Ethernet sub-interface configuration.
After you run the undo portswitch command to switch Layer 2 interfaces on the preceding series of switches into Layer 3 interfaces, you can configure Ethernet sub-interfaces on the interfaces.
After an interface is added to an Eth-Trunk, sub-interfaces cannot be configured on the interface.
VLAN termination sub-interfaces cannot be created on a VCMP client.

Verifying the Configuration

Run the display this command in the system view and interface view to check whether URPF is enabled.