Unicast Reverse Path Forwarding (URPF) searches the routing table for the route to the source IP address of a packet and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If the routing table does not have the route to the source IP address or the inbound interface of the packet is different from the outbound interface of the route, URPF discards the packet to prevent IP spoofing. This policy is effective for DoS attacks with forged source IP addresses.
Strict mode
In this mode, the route to the source IP address of a packet must exist in the routing table, and the inbound interface of the packet must be the same as the outbound interface of the route.
The strict mode is recommended if route symmetry is ensured. For example, if there is only one path between two network edge switches, the strict mode can help ensure network security.
Loose mode
In this mode, the route to the source IP address of a packet must exist in the routing table, and the inbound interface of the packet may not be the same as the outbound interface of the route.
The loose mode is recommended if route symmetry is not ensured. For example, if there are multiple paths between two network edge switches, the loose mode can help defend against network attacks and prevent valid packets from being discarded.
Enable URPF in strict mode on the Layer 2 interface GE1/0/1, and allow the route to the source IP address of a packet to be the default route.
<HUAWEI> system-view [HUAWEI] interface GigabitEthernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] urpf strict allow-default-route