urpf (interface view)

Function

The urpf command enables URPF on an interface and configures the URPF mode.

The undo urpf command disables URPF on an interface.

By default, URPF is disabled on an interface.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

For the S5720-EI, S6720-EI, and S6720S-EI, only Layer 2 Ethernet interfaces support URPF strict check.

Format

urpf { loose | strict } [ allow-default-route ]

undo urpf

Parameters

Parameter	Description	Value
loose	Indicates URPF check in loose mode. A packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.	-
strict	Indicates URPF check in strict mode. A packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.	-
allow-default-route	Allows the route to the source IP address of the packet to be configured as the default route. If this parameter is not configured, the device does not allow the route to the source IP address of the packet to be configured as the default route during the URPF check.	-

Parameter

Description

Value

loose

Indicates URPF check in loose mode. A packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

strict

Indicates URPF check in strict mode. A packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

allow-default-route

Allows the route to the source IP address of the packet to be configured as the default route.

If this parameter is not configured, the device does not allow the route to the source IP address of the packet to be configured as the default route during the URPF check.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:

Strict mode

In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.
Loose mode

In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Prerequisites

For the S5720-EI, S5735-S, S5735S-S, S5735-S-I, S6720-EI, and S6720S-EI, configurations on the interface take effect only after global URPF is enabled using the urpf command.

Precautions

In the Eth-Trunk interface view, this command conflicts with the service type tunnel, service type multicast-tunnel, or service type vxlan-tunnel command and cannot be run in the same Eth-Trunk interface view.

For the S6720-EI and S6720S-EI, even if no default route is configured, the urpf { loose | strict } allow-default-route command takes effect when the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command.

For the S5735-S-I, only URPF check in loose mode is supported. For the S5735-S and S5735S-S, V200R019C10 and later versions support only URPF check in loose mode. If URPF check in strict mode is configured in V200R019C00, the configuration will be changed to URPF check in loose mode after the version is upgraded to V200R019C10 or later.

Example

# Enable URPF strict check on a Layer 2 interface GE0/0/1 and allow the route to the source IP address of the packet to be configured as the default route.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] urpf strict allow-default-route

# Enable URPF loose check on a Layer 3 interface GE0/0/2 and allow the route to the source IP address of the packet to be configured as the default route.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] undo portswitch
[HUAWEI-GigabitEthernet0/0/2] urpf loose allow-default-route