Contents

IPv4 uRPF commands· 1

display ip urpf 1

ip urpf 1

IPv4 uRPF commands

display ip urpf

Use display ip urpf to display uRPF configuration.

Syntax

display ip urpf [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays uRPF configuration for all member devices.

Examples

# Display uRPF configuration for the specified slot.

<Sysname> display ip urpf slot 1

Global uRPF configuration information(failed):

   Check type: strict

Table 1 Command output

‌

ip urpf

Use ip urpf to enable uRPF.

Use undo ip urpf to disable uRPF.

Syntax

ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] }

undo ip urpf

Default

uRPF is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.

strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.

allow-default-route: Allows using the default route for uRPF check.

acl acl-number: Specifies an ACL by its number.

·     For a basic ACL, the value range is 2000 to 2999.

·     For an advanced ACL, the value range is 3000 to 3999.

link-check: Enables link layer check (Ethernet link). This keyword is not supported in VT interface view.

Usage guidelines

uRPF can be deployed on a PE connected to a CE or an ISP, or on a CE.

Configure strict uRPF check for traffic that uses symmetric path and configure loose uRPF check for traffic that uses asymmetric path. A symmetric path exists for a session if the PE uses the same interface to receive upstream traffic and send downstream traffic. The path is asymmetric if the PE uses different interfaces to receive upstream traffic and send downstream traffic.

·     Typically, symmetric path applies to traffic that goes through an ISP's PE interface connected to the CE. You can configure strict uRPF check on the PE interface where the PE interface resides.

·     Asymmetric path might exist for traffic that goes through a PE interface connected to another ISP. In this case, configure loose uRPF check on the PE interface where the PE interface resides.

Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, specify the allow-default-route keyword. If you enable uRPF on a security zone where the CE interface resides and the security zone has a default route pointing to the PE, specify the allow-default-route keyword.

If a Layer 3 PE interface connects to a large number of PCs, configure the link-check keyword on the interface to enable link layer check. uRPF checks the validity of the source MAC address.

You can use an ACL to match specific packets, so they are forwarded even if they fail to pass uRPF check.

If the specified ACL does not exist or does not contain rules, the ACL cannot match any packets.

If the vpn-instance keyword is specified in an ACL rule, the rule applies only to VPN packets. If the vpn-instance keyword is not specified in an ACL rule, the rule applies only to public network packets.

Examples

# Enable strict uRPF check globally.

<Sysname> system-view

[Sysname] ip urpf strict

Related commands

display ip urpf