< Home

urpf (system view)

Function

The urpf command enables global URPF.

The undo urpf command disables global URPF.

By default, the switch does not enable global URPF.

Only S5720-EI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-EI, S6720S-EI, S6720S-SI, and S6720-SI support this command.

Format

For S5720I-SI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720S-SI, and S6720-SI:

urpf [ slot slot-id ]

undo urpf [ slot slot-id ]

For S5720-EI, S5735-S, S5735S-S, S5735-S-I, S6720-EI, and S6720S-EI:

urpf slot slot-id [ based-logic-port ]

undo urpf slot slot-id [ based-logic-port ]

Parameters

Parameter Description Value

slot slot-id
  • Specifies the slot ID if stacking is not configured.
  • Specifies the stack ID if stacking is configured.

Set the value according to the device configuration.

based-logic-port
  • If this parameter is specified, URPF check configured on logical interfaces takes effect, including VLANIF interfaces and subinterfaces, and URPF check configured on Ethernet interfaces does not take effect, including Layer 2 and Layer 3 Ethernet interfaces.
  • If this parameter is not specified, URPF check configured on Ethernet interfaces takes effect, and URPF check configured on logical interfaces does not take effect.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to a server. DoS attacks aim to occupy many resources by sending a large number of connection requests to a specified server. The attacked server cannot respond to authorized users.

URPF searches for the route to the source IP address in the routing table based on the source IP address of the packet, and checks whether the inbound interface of the packet is the same as the outbound interface of the route. If no route to the source IP address of the packet exists in the routing table, or the inbound interface of the packet is different from the outbound interface of the route, the packet is discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus source IP address.

In a complicated networking environment, asymmetric routes may exist. That is, the routes recorded on the local end and remote end are different. A URPF-enabled device on this network may discard the packets transmitted along the correct path, but forward the packets transmitted along incorrect paths. The device provides the following two URPF modes to solve this problem:

  • Strict mode

    In strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route.

    If route symmetry is ensured, you are advised to use the URPF strict mode. For example, if there is only one path between two network edge devices, URPF strict mode can be used to ensure network security.

  • Loose mode

    In loose mode, a packet passes the check as long as the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet is not required to be the same as the outbound interface of the route.

    If route symmetry is not ensured, you are advised to use the URPF loose mode. For example, if there are multiple paths between two network edge devices, URPF loose mode can be used to ensure network security and prevent the packets transmitted along the correct path from being discarded.

Precautions

  • Enabling or disabling global URPF will affect packet forwarding in a short period of time.
  • The S5720I-SI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720S-SI, and S6720-SI only support URPF strict check.

  • For the S5720I-SI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720S-SI, and S6720-SI, after a stack is set up, if slot slot-id is not specified when the urpf (system view) command is executed, URPF takes effect only on the master switch.

  • For theS5720-EI, S6720-EI, and S6720S-EI, the number of FIB entries are reduced by half if URPF is enabled. You are advised to enable URPF before services are deployed. If you need to enable URPF after services are deployed, configure URPF when less traffic is transmitted and ensure that network requirements are met if the number of FIB entries is reduced by half.
  • If both the urpf slot slot-id and urpf slot slot-id based-logic-port commands are executed, the last configured one takes effect.

Follow-up Procedure

For the S5720-EI, S5735-S, S5735S-S, S5735-S-I, S6720-EI, and S6720S-EI, run the urpf command to enable URPF on an interface and configure the URPF mode.

Example

# Enable global URPF on the device.

<HUAWEI> system-view
[HUAWEI] urpf slot 0
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]:y
# Change URPF from Ethernet interface-based to logical interface-based.
<HUAWEI> system-view
[HUAWEI] urpf slot 0 based-logic-port
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from physical interface-based to logical interface-based. The URPF configuration on all Layer 2 or Layer 3 physical interfaces of the card will become invalid. Are you sure to continue? [Y/N]: y
# Change URPF from logical interface-based to Ethernet interface-based.
<HUAWEI> system-view
[HUAWEI] urpf slot 0
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from logical interface-based to physical interface-based. The URPF configuration on all sub-interfaces or VLANIF interfaces of the card will become invalid. Are you sure to continue? [Y/N]: y
Parent Topic: URPF Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic