ip urpf(interface view)

Format

ip urpf strict

ip urpf strict allow-default

ip urpf loose

ip urpf loose allow-default

ip urpf { loose | strict } [ allow-default ] statistics enable

undo ip urpf

Parameters

Parameter	Description	Value
strict	Indicates URPF strict check. After receiving a packet, a router searches for the interface board slot ID, interface number, and VLAN ID (only for VLAN packets) information corresponding to the source IP address of the packet in the FIB table, and matches the obtained interface board slot ID, interface number, and VLAN ID information against the information of the packet. If they match, the router forwards the packet; if they do not match, the router discards the packet.	-
allow-default	Enables the device to forward the packets that pass the URPF check and match the default route.	-
loose	Indicates URPF loose check. After receiving a packet, a router uses the source IP address in the packet as the destination address, and searches the FIB table for an outbound interface mapped to the destination IP address. If the outbound interface is found, the router forwards the packet; if the outbound interface is not found, the router discards the packet.	-
statistics	Indicates the URPF statistics function.	-
enable	Enables the URPF statistics function.	-

Views

100GE interface view, 10G LAN interface view, 10G WAN interface view, 40GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, GE optical interface view, GE electrical interface view, VBDIF interface view, VLANIF interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
device-mgr	write

Usage Guidelines

Usage Scenario

Generally, when receiving a packet, a router obtains the destination address of the packet and searches the forwarding table for a route to the destination address. If a route to the destination address is found, the packet is forwarded; otherwise, the packet is discarded. When a packet is received on a URPF-enabled interface, the interface obtains the source address and inbound interface of the packet, takes the source address as the destination address to search for the corresponding inbound interface, and then compares the found interface with the inbound interface. If the two interfaces do not match, the interface considers the source address as a spoofing one and discards the packet. In this manner, URPF can effectively protect against malicious attacks by blocking packets with bogus source addresses.

Precautions

In the application of URPF in the view of an interface, you can configure URPF check on the interface to perform URPF check on all the traffic on the interface.

Check the FIB table based on the source IP address of the received packet. If the packet matches the default route, run the ip urpf { loose | strict } allow-default command to allow the packet to pass the URPF check.

On a dot1q termination sub-interface, if strict URPF check is configured in the interface view, the URPF mode is automatically changed to loose URPF.

If more than eight routes are used for load balancing, the strict UPF restrictions on VPN FRR routes become loose.

Example

# Enable URPF strict check on GE 0/1/0 and enable the packets matching the default route to be forwarded.

<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/0
[*HUAWEI-GigabitEthernet0/1/0] ip urpf strict allow-default

# Enable URPF loose check on GE 0/1/8 and enable the interface statistics function.

<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/8
[*HUAWEI-GigabitEthernet0/1/8] ip urpf loose allow-default statistics enable