Configuring Flow-based URPF

By configuring flow-based URPF, you can perform URPF check for flows of certain types on an interface. In this manner, you can prevent the packets of these types from starting source address spoofing attacks.

Usage Scenario

To prevent network attacks based on source address spoofing, you need to configure URPF and check whether the source address of the packets matches the inbound interface. If the source IP address matches the inbound interface, the source IP address is considered as legal and the packet is allowed to pass; otherwise, the source IP address is considered as a pseudo one and the packet is discarded.

If you need to prevent flows of certain types from starting source address spoofing attacks, you need to configure flow-based URPF.

Pre-configuration Tasks

Before configuring flow-based URPF, complete the following task:

Parameters of the link layer protocol and IP addresses have been configured for the interfaces and the link layer protocol on the interfaces is Up.

Configuring Traffic Classifiers: You need to define traffic classifiers when configuring traffic classification. Traffic classifiers can be defined on the basis of the ACL, IP precedence, protocol type, MAC address, and protocol address.

Configuring Traffic Behaviors: When the routes between the interface under URPF check and the source address of the packet are symmetrical, you need to adopt URPF check in strict mode; Otherwise, you need to adopt URPF check in loose mode.

Configuring a Traffic Policy: After being classified, the traffic must be associated with the traffic behavior. In this manner, a traffic policy can be formed.

Applying the Traffic Policy: After being formed, the traffic policy must be applied on the interface. The configured traffic behaviors take effect only after the traffic passing through the interface matches the traffic classification rule.