Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-MAC authentication commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-TCP and ICMP attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-Crypto engine commands
- 18-DAE proxy commands
- 19-802.1X commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-uRPF commands | 53.54 KB |
IPv4 uRPF commands
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
In standalone mode:
display ip urpf interface interface-type interface-number [ slot slot-number ]
In IRF mode:
display ip urpf interface interface-type interface-number [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays uRPF configuration for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays uRPF configuration for all cards. (In IRF mode.)
Examples
# (In standalone mode.) Display uRPF configuration on the specified interface.
<Sysname> display ip urpf interface gigabitethernet 3/1/1 slot 3
uRPF configuration information of interface GigabitEthernet3/1/1(failed):
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 1 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
|
Suppress drop ACL |
ACL used for drop suppression. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
For interfaces on the CSPC-GE16XP4L-E, CSPC-GE24L-E, and CSPC-GP24GE8XP2L-E cards, SPEX cards, CSPEX cards, and CEPC cards:
ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] }
undo ip urpf
For interfaces on the SPC cards and MPE-1104 cards:
ip urpf loose [ allow-default-route ]
undo ip urpf
Default
uRPF is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
allow-default-route: Allows using the default route for uRPF check.
acl acl-number: Specifies an ACL by its number.
· For a basic ACL, the value range is 2000 to 2999.
· For an advanced ACL, the value range is 3000 to 3999.
Usage guidelines
uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.
Configure strict uRPF check for traffic that uses symmetric path and configure loose uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.
· Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict uRPF check on the PE interface.
· Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose uRPF check on the PE interface.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, specify the allow-default-route keyword.
You can use an ACL to match specific packets, so they are forwarded even if they fail to pass uRPF check.
Examples
# Configure loose uRPF check on interface GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/1/1
[Sysname-GigabitEthernet3/1/1] ip urpf loose
Related commands
display ip urpf
ip urpf strict
Use ip urpf strict to enable strict uRPF check for PPPoE users on a VT interface.
Use undo ip urpf strict to disable strict uRPF check for PPPoE users on a VT interface.
Syntax
ip urpf strict [ subnet-check ]
undo ip urpf strict [ subnet-check ]
Default
Strict uRPF check is enabled for all PPPoE users except leased users.
Views
VT interface view
Predefined user roles
network-admin
Parameters
subnet-check: Enables strict uRPF check for all PPPoE users including leased users on the VT interface. If you do not specify this keyword, this command does not apply to PPPoE leased users on the VT interface.
Usage guidelines
This command is supported only on the CSPC-GE16XP4L-E, CSPC-GE24L-E, and CSPC-GP24GE8XP2L-E cards, SPEX cards, CSPEX cards, and CEPC cards.
The subnet-check keyword is supported only on the CSPEX cards (except CSPEX-1104-E) and CEPC cards.
uRPF enabled on a VT interface checks traffic of PPPoE users for packet validity on the interface.
If you do not specify the subnet-check keyword, strict uRPF checks traffic of all PPPoE users except leased users for packet validity based on source IP address.
If you specify the subnet-check keyword, strict uRPF checks traffic of all PPPoE users including leased users for packet validity. The packet validity check is based on the Framed-Route or Framed-IP-Netmask RADIUS attribute.
Examples
# Enable strict uRPF check for all PPPoE users except leased users on Virtual-Template 100.
<Sysname> system-view
[Sysname] interface virtual-template 100
[Sysname-Virtual-Template100] ip urpf strict
IPv6 uRPF commands
display ipv6 urpf
Use display ipv6 urpf to display IPv6 uRPF configuration.
Syntax
In standalone mode:
display ipv6 urpf interface interface-type interface-number [ slot slot-number ]
In IRF mode:
display ipv6 urpf interface interface-type interface-number [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 uRPF configuration for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 uRPF configuration for all cards. (In IRF mode.)
Examples
# (In standalone mode.) Display IPv6 uRPF configuration on the specified interface.
<Sysname> display ipv6 urpf interface gigabitethernet 3/1/1 slot 3
IPv6 uRPF configuration information of interface GigabitEthernet3/1/1(failed):
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 2 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the IPv6 uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
IPv6 uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
|
Suppress drop ACL |
IPv6 ACL used for drop suppression. |
ipv6 urpf
Use ipv6 urpf to enable IPv6 uRPF.
Use undo ipv6 urpf to disable IPv6 uRPF.
Syntax
For interfaces on the CSPC-GE16XP4L-E, CSPC-GE24L-E, and CSPC-GP24GE8XP2L-E cards, SPEX cards, CSPEX cards, and CEPC cards:
ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]
undo ipv6 urpf
For interfaces on the SPC cards and MPE-1104 cards:
ipv6 urpf loose [ allow-default-route ]
undo ipv6 urpf
Default
IPv6 uRPF is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
strict: Enables strict IPv6 uRPF check. To pass strict IPv6 uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of an IPv6 FIB entry.
allow-default-route: Allows using the default route for IPv6 uRPF check.
acl acl-number: Specifies an IPv6 ACL by its number.
· For a basic IPv6 ACL, the value range is 2000 to 2999.
· For an advanced IPv6 ACL, the value range is 3000 to 3999.
Usage guidelines
IPv6 uRPF can be deployed on a CE or on a PE connected to either a CE or an ISP.
Configure strict IPv6 uRPF check for traffic that uses symmetric path and configure loose IPv6 uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.
· Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict IPv6 uRPF check on the PE interface.
· Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose IPv6 uRPF check on the PE interface.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, specify the allow-default-route keyword.
You can use an ACL to match specific packets, so they are forwarded even if they fail to pass IPv6 uRPF check.
Examples
# Configure loose IPv6 uRPF check on GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/1/1
[Sysname-GigabitEthernet3/1/1] ipv6 urpf loose
Related commands
display ipv6 urpf
ipv6 urpf strict subnet-check
Use ipv6 urpf strict subnet-check to enable strict IPv6 uRPF check for PPPoE users including leased users on a VT interface.
Use undo ipv6 urpf strict subnet-check to disable strict IPv6 uRPF check for PPPoE users including leased users on a VT interface.
Syntax
ipv6 urpf strict subnet-check
undo ipv6 urpf strict subnet-check
Default
Strict IPv6 uRPF check is disabled for all PPPoE users.
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
This command is supported only on the CSPEX cards (except CSPEX-1104-E) and CEPC cards.
Strict IPv6 uRPF enabled on a VT interface checks traffic of all PPPoE users including leased users for packet validity on the interface. The packet validity check is based on the Framed-Route or Framed-IP-Netmask RADIUS attribute.
Examples
# Enable strict IPv6 uRPF check for all PPPoE users including leased users on Virtual-Template 100.
<Sysname> system-view
[Sysname] interface virtual-template 100
[Sysname-Virtual-Template100] ipv6 urpf strict subnet-check
