The ip urpf command enables local URPF on an interface board.
The undo ip urpf command disables local URPF on an interface board.
By default, local URPF on an interface board is disabled.
| Parameter | Description | Value |
|---|---|---|
| strict |
Indicates URPF strict check. That is, the packets with the entries in the forwarding table can pass URPF check only when the interface matches the source address. |
- |
| allow-default |
Indicates that URPF is implemented for packets matching the default route. |
- |
| loose |
Indicates URPF loose check. That is, the packets with matched entries (except for default routes) in the forwarding table can pass URPF check regardless of whether the interface matches the source address. |
- |
Usage Scenario
URPF check is performed according to the configuration mode on the packets received by the interface board. If the packet fails to pass check, it is discarded; if the packet passes check, it is sent.
Precautions
If strict URPF check is configured in the attack defense view on a sub-interface for dot1q VLAN tag termination, the URPF mode is automatically changed to loose URPF mode.
If the number of routes in load balancing mode exceeds eight, the strict UPF restriction on VPN FRR routes becomes loose.<HUAWEI> system-view [~HUAWEI] cpu-defend policy 4 [*HUAWEI-cpu-defend-policy-4] ip urpf strict allow-default [*HUAWEI-cpu-defend-policy-4] quit [*HUAWEI] slot 1 [*HUAWEI-slot-1] cpu-defend-policy 4