ip verify source-address

Function

The ip verify source-address command configures source address validity check on the packets received from an interface so that packets with invalid source address can be dropped.

The undo ip verify source-address command cancels the configuration.

By default, an interface does not perform source address validity check on the packets received.

Format

ip verify source-address

undo ip verify source-address

Parameters

None

Views

100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, GMPLS-UNI interface view, Global VE sub-interface view, LMP interface view, Loopback interface view, MTI interface view, Mtunnel view, PW-VE sub-interface view, PW-VE interface view, Tunnel interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view, Management interface view, Virtual template view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
ip-stack write

Usage Guidelines

Usage Scenario

Standard protocols define the IP source address scope as follows:

  • Broadcast addresses of Class A through Class C cannot be used as the source address.
  • Class D addresses, which are used for IP multicasting, cannot be used as the source address.
  • Class E addresses are reserved for experimental use and therefore cannot be used as the source address.
  • All Fs addresses cannot be used as the source address.
  • The address on network 127 cannot be used as the source address on the network outside the host.

    In actual situations, these addresses may still be used as the source address. For example, Class A through Class C addresses may have a 32-bit mask, and the broadcast addresses of class A through E are available. By default, the source address filtering function is disabled.

    If a user discovers that a device has encountered a malicious packet attack with the source address as a broadcast or multicast address, run the ip verify source-address command to filter this type of address in packets in order to improve device security.

Example

# Enable source address validity check on the packets received from the GE interface 0/1/0.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/0
[~HUAWEI-GigabitEthernet0/1/0] ip verify source-address
Parent Topic: IPv4 Basic Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >